People raising their hands in a meeting

Top Five Questions to Ask Your Cyber Liability Insurance Carrier 

David Trepp 

Protecting your business from a cyber attack has never been more paramount. Data breaches cost businesses an average of $4.24 million in 2021, a 10% rise from just a year earlier. The ongoing risk of businesses adopting remote or hybrid working models due to the pandemic has yielded a perfect storm for online hackers, and U.S. government agencies have issued warnings on potential increases in cyberattacks due to Russia’s invasion of Ukraine. Small and medium-sized businesses should take stock of their cyber liability insurance, even as premiums rise. In spite of this dramatic rise in premiums, cyber liability insurance can be money well spent. In order to get the most out of your cyber liability insurance policy, here are the top five questions you should be asking your cyber liability insurance carrier.  

What systems are covered?  

Your cyber liability insurance exists to protect your business from online risks relating to your information technology infrastructure and activities. You should ask your carrier if your policy covers online activities on mobile devices and cloud systems and applications. You should also inquire as to whether your coverage extends to vendor-owned or managed systems, as well as to any contractor hosts. Finally, if applicable, as biomedical and industrial control systems are playing an increasingly significant role across a variety of industries, you should ask your carrier if those systems are covered by your cyber liability insurance policy.  

Are there exceptions to coverage related to inadequate due diligence or due care?  

While most business owners are diligent in implementing the appropriate safeguards against a cyber-attack, few businesses have comprehensive, fully documented, rigorously managed cybersecurity programs. You should ask your carrier if there are exceptions to coverage related to inadequate due diligence or due care as it relates to vendor management and patch and configuration management. You should also ask if there are exceptions to coverage related to an inadequate risk assessment or test penetration program, including inadequate program documentation. And, as cyber security extends to all levels of your business, you should ask your carrier if there are exceptions to coverage as it relates to employee awareness and board or executive governance training. Of course, whether any of these exceptions to coverage exist within your policy, your top priority as a business owner is ensuring that you have applied as thorough a level of due diligence across all these areas as possible.  

What constitutes a covered data security breach?  

Generally, coverage provided by cyber liability insurance policies includes first-party coverage against losses such as theft, hacking, extortion, data destruction and denial of service (DoS) attacks. You should get the specifics, however, and ask your carrier if your policy covers a social engineering attack (i.e., phishing), a ransomware attack or even a physical attack. You should also ask whether an inadvertent disclosure of Personally Identifiable Information (PII) is covered, as well as whether state-sponsored acts or prior acts are covered. Finally, you should determine whether losses outside of a breach event are covered, such as a related client- or customer-led class action lawsuit.  

What will the policy pay for? 

Business owners should be as specific as possible when discussing cyber liability coverage and plan to budget for any costs not covered by a potential breach event. You should ask your carrier if your coverage extends to business interruption and reputation loss (including post-incident public relations expenses). You should also ask your carrier if your policy covers any legal fees incurred, as well as any regulatory claims and fines. In the case of a ransomware attack, will your policy cover the ransom payment (in whole or in part)? You should also ask if your policy covers related expenses such as a criminal reward fund, investigative costs, forensics and recovery costs.  

Are there any overlapping provisions with my property policy? 

Most traditional commercial general liability and property policies exclude protection from a cyber-attack, but you should ask your carrier if there is any overlap to ensure you are not paying for the same coverage twice. Be sure to ask about business interruption provisions within your general liability or property policies in particular. 

As cyber-attack incidents continue to make headlines, small and medium-sized business owners need to protect their businesses and their customers from liability. Having a thorough discussion with your cyber liability insurance carrier is critical and should be done at least annually to ensure you are up to speed on the latest coverage changes. Finally, be brutally honest filling out any application or questionnaire your carrier sends you, as your claim may be denied for a fraudulent application.  

For more information about how BPM can help you navigate the cybersecurity liability insurance needs of your organization, or any other aspect of your cybersecurity efforts, please reach out to David Trepp at: [email protected] 

Related Insights