Cyber insurance is an important tool in an organization’s overall cyber risk management strategy, but many organizations lack adequate cyber insurance if they do have the coverage at all. A report by CYE found that 80% of insured companies that suffered a data breach did not have sufficient coverage ( https://www.marsh.com/en/services/cyber-risk/insights/ransomware-a-persistent-challenge-in-cyber-insurance-claims.html). Cyberattacks are some of the biggest risks businesses are facing. Organizations are increasing their cybersecurity budgets and implementing more technical controls, yet organizations are still struggling to ensure they have adequate coverage. Adequate cyber insurance in today's cyber threat landscape is not simply nice to have; it is a need.

A large reason for gap is the lack of understanding of what is covered within a cyber policy. So, let's jump into what a comprehensive cyber policy consists of!

A comprehensive cyber policy consists of three parts: first party, third party, and cyber-crime coverages. First party is direct loss and out of pocket expense incurred by you. Third party is defense and liability incurred due to alleged harm caused to others by you. Cyber-crime is financial loss suffered by an organization arising from the use of computers or other means to commit fraud or theft.

Let's begin with first party coverage. The "bread and butter" of cyber coverage is really the incident investigation and response costs piece. This is costs to hire legal, forensics, provide breach notification, and obtain PR services. An expert privacy law firm helps to determine data breach reporting and notification requirements and to assist in managing the incident response process under client-attorney privilege. They also help ensure proper credit monitoring services are given in breach notification. Forensic experts help to determine the existence, cause, and scope of incident while helping to contain it. PR helps to protect brand reputation as the result of a privacy or security breach. The global average cost of a data breach in 2024 is 4.88M according to IBM (https://www.ibm.com/reports/data-breach), and most of these costs are incurred in incident investigation and response.

First party coverage also includes business interruption and extra expense coverage. This includes the loss of income or extra expense incurred due to a network security breach or system failure (like a faulty update) preventing access to critical data or performing day-to-day tasks. Contingent business interruption extends business interruption coverage to a network security breach or a system failure of a vendor your organization contracts with. Data restoration covers the costs to restore, recreate, or recollect your data or other intangible assets that are corrupted or destroyed by a cyberattack. Ransomware continues to be a widespread issue. Cyber extortion covers costs to negotiate and pay an extortion payment as deemed necessary.

Third party coverage consists of privacy liability, security liability, media liability, and privacy regulatory defense costs and fines / penalties. Privacy liability provides coverage for liability and defense costs resulting from failure to prevent unauthorized access, disclosure or collection, or failure of others to whom you have entrusted such information, for not properly notifying of a privacy breach. Security liability covers the liability and defense costs incurred as the result of a failure of system security to prevent or mitigate a computer attack.

Media liability covers liability and defense costs for libel, slander, disparagement, misappropriation of name or likeness, plagiarism, copyright infringement, negligence in media content. Privacy breach and related fines or penalties assessed by regulators are also covered underneath third party coverage. This covers costs to defend and/or respond to an inquiry or action from Attorney General, FTC, or other regulator due to an actual or suspected privacy or security incident and pay for assessed fines/penalties.

Finally, there is cyber-crime. This covers various financial losses as the result of cyber fraud or theft. Cyber-crime is a persistent issue across industries. In 2023, the FBI reported losses over 2.9 billion as a result of business email compromise, a common method for these kinds of attacks. Social engineering covers you for the transfer of funds to a third party when relying on fraudulent instructions. Funds transfer fraud covers the loss of funds contained in an account from a financial institution resulting from a fraudulent instruction impersonating you to your financial institution. There is also invoice manipulation which provides coverage of funds you do not receive due to a breach causing fraudulent electronic communications impersonating you to be sent to a client.

Cyber can be complex between rapidly evolving threats, continued advancements in technology, and new coverages becoming available. It is important now than ever to partner with someone who understands current trends, unique cyber risks for your industry and specific organization, and cyber risk management strategies. Contact us today to help tailor a cyber insurance program to protect you when it matters most.

 For more information visit www.MMANorthwest.com/cyber or reach out to Kacey Wheeler at Kacey.Wheeler@MarshMMA.com