This content is independent of any content coming from insurance brokers, insurers, law firms, or other insurance lobbyists. Commercial insurance is rarely taught in schools, and when it is, it’s mostly done through the lens of brokers or insurers. There are many misconceptions around Cyber Insurance Liability and First Party coverage, like many other topics in commercial insurance, due to bad habits acquired through the over reliance on insurance brokers or insurers or information providers who are lobbied by them. It is also important to note that insurance has both an operational aspect and a legal aspect, on which we put weights of 95% and 5% respectively in terms of importance to protecting a business and its investors (the point is that going to court to enforce coverage defeats the purpose of buying insurance, so you want to make sure that whatever insurance you buy protects your business right and pays out fast on large losses).
The video above shows real life examples of cyber events leading to financial losses to various organizations around the world. Cyber insurance liability and first party coverage play a major role in reducing direct or indirect losses of organizations due to Cyber Risk. It's important to remember that the insurance must be reworded by risk experts independent of brokers and insurers for it to be effective and least costly.
Cyber Risk Management
Cyber Risk Meaning
It is the risk of a cyber event leading to financial loss either directly or indirectly. Financial loss related to Cyber Risk is broken down into First Party costs and Third-Party Liability costs.
• First Party costs include an organization’s direct expenses or lost profits such as:
- restoration expenses;
- interruption in business operations leading to a loss in revenue and therefore profits;
- investigation costs;
- notification expenses;
- costs related to public relations efforts;
- Reputational damage.
• Third Party Liability costs include the costs of indemnification, defence, or settlement of civil suits, as well as the costs of regulatory proceedings.
- Examples of civil suits include lawsuits brought by customers, suppliers or business partners, employees, or other parties, as a result of damage they have sustained from a cyber event;
- Examples of regulatory proceedings are fines applied by privacy commissioners.
Cyber Risk Quantification Models
Most models are proprietary in nature such as our model, however certain regulatory bodies, such as in Europe, provide a starting point on how to measure Cyber Risk (ex. European Banking Act).
Cyber Risk Report
Such a report can be drafted on a stand-alone basis or as part of a comprehensive report on Operational Risk. The report should include measures of Cyber Risk (currency impacts and probabilities of occurrence of different cyber risk events), recommended and implemented cyber controls, details of cyber insurance, relevant benchmarking, and ways to monetize a more competitive cyber risk profile.
Cyber Risk Rating
Using our proprietary models, our team provides ratings for cyber risk either as part of an overall Operational Risk Rating, or on a stand-alone basis. It is recommended that such ratings be updated on a quarterly basis for publicly traded companies and presented to investors as part of quarterly earnings.
Cyber Risk Management Process
First, Cyber Risk needs to be quantified (the severity in currency terms as well as the probability of occurrence of specific cyber risk events). Second, adequate controls must be implemented based on the size and type of organization (ex. password security protocols, etc.). Third, Cyber Insurance must be purchased, however it has to be reworded to match the organization’s profile before it is bought from a broker or insurer. The insurance also needs to be triggered clinically in the event of a loss by experts who are independent from any broker or insurer. Finally, a re-measurement of the risk must be done to ensure that the steps within the cyber risk management process have been implemented correctly. It is recommended to review and update the process on a quarterly basis for mid-sized companies, and at least annually for small business.
Cyber Risk Governance Framework
Cyber Risk, along with other major forms of Operational Risk, should be dealt with professionally and in a structured manner that is clearly outlined within a company’s governance framework. Areas of governance include oversight, compensation, insurance, and other related matters. We recommend that such a governance framework be reviewed at least quarterly by the Board of Directors for mid-sized companies.
How To Quantify Cyber Risk
Our team uses proprietary models and methodologies to quantify Cyber Risk. This includes providing probabilities of occurrence on different cyber risk events as well as their corresponding currency impacts.
Cyber Risk Program
This can include a set of risk protocols as well as a standardized cyber insurance policy to be used by members of a specific association or a group of entities that are required to meet certain cyber protocols.
Cyber Risk Types
There are two broad types of Cyber Risk:
1. First Party risks: these are risks that directly impact an organization as a result of a cyber event (ex. ransomware event);
2. Third Party risks: these are forms of Liability Risk that are an indirect impact of a cyber event (ex. a cyber breach occurs, which then results in a customer lawsuit).
Cyber Risk Strategy
Please refer to the above section ‘Cyber Risk Management Process’.
Risk Management For Cyber Security
Please refer to the above section ‘Cyber Risk Management Process’.
How To Calculate Cyber Risk
Please refer to the above section ‘How To Quantify Cyber Risk’.
How To Mitigate Cyber Risk
Mitigation is done through either (a) cyber controls; and/or (b) cyber insurance.
How To Reduce Cyber Risk
Please refer to the above section ‘How To Mitigate Cyber Risk’.
Cyber Risk And Insurance
Insurance is part of the risk management process for Cyber Risk. It has to be reworded and triggered independently of brokers and insurers. Please note that Cyber risk should be specifically hedged through a dedicated Cyber insurance policy, which offers Cyber Insurance Liability coverage as well as Cyber Insurance First Party coverage, and not through other commercial insurance policies including but not limited to the ones listed below, which either provide limited cyber coverage or none at all:
• Commercial General Liability
• Directors’ and Officers’ Liability
• Professional Liability(E&O)
Cyber Insurance Risk
Also known as Cyber insurance basis risk, this is the risk that the cyber insurance does not pay out as expected, which includes no, low, or delayed payouts. This risk applies to both Cyber Insurance Liability coverage as well as Cyber Insurance First Party coverage.
What Does Cyber Risk Insurance Cover?
First party losses as well as third party losses. Examples of first party losses include notification expenses that are required to meet privacy regulation notification requirements in the case of a cyber breach. Examples of third-party losses include liability from customers or others in the event of a cyber breach, which are covered under Cyber Liability Insurance or Cyber Insurance Liability Coverage.
Cyber Risk Quotes
Please contact us if you are looking for cyber insurance quotes. We would reword the coverage to fit your operational details and have brokers compete for your business for most cost-effective results.
Cyber Risk Exclusion
It can be an exclusion under any form of commercial insurance that is not cyber insurance. This is simply due to the fact that insurers generally exclude risks that can be insured by separate products.
Cyber Risk Policy Template
You can ask your local broker for a copy of a sample cyber insurance policy. Generally, a cyber insurance policy will be divided into two main sections: (1) First Party coverage; and (2) Third Party or Cyber Insurance Liability coverage. Each section will have its own set of insuring agreements, definitions, exclusions, terms and conditions, alongside general conditions applying to both sections.
Cyber Insurance Liability
Most commonly referred to as Cyber Liability Insurance or Third Party Cyber coverage, it is insurance against Liability Risk that is a direct result of a cyber event (ex. data breach, virus, hack, etc.). For example, an airline company sustains a data breach whereby hackers get hold of the personal information of customers. Customers then hire lawyers to form a class action lawsuit against the airline company for compensation.
POPULAR SEARCHES ONLINE
Cyber Insurance Online Quote
You can fill out and submit this form. It’s an easy 1-step process, and our team will send you a proposal.
Cyber Insurance Premiums
Recently cyber insurance premiums have been increasing due to various data breaches, ransomware, and other cyber events that have resulted in losses to insurers. However, competition amongst insurers is increasing and new insurance companies keep on entering the market putting a cap on the increasing premiums.
Cyber Insurance Pricing
Pricing depends on the type of organization being covered, including its size, industry, cyber controls, amongst other factors. It is very hard to estimate pricing without details as some companies can pay as little as $500 for a $1 million limit in cyber coverage whereas others can pay hundreds of thousands or millions of dollars in premiums for the same cyber insurance limit.
Cyber Insurance Coverage
Primary coverage sections include:
• Security/Privacy Liability Coverage (part of Cyber Insurance Liability coverage)
This section covers loss from 3rd party claims for:
› Actual or potential unauthorized access to customer or employee personal information;
› Unauthorized access into computer systems or a computer system of an organization the insured contracts with to process, hold or store information;
› Cyber attacks to the insured or its processors that impair the use of a 3rd party’s computer system;
› Damage to a person or organization’s reputation in connection with the insured’s cyber activities.
• Privacy Notification Expenses
This section covers the insured’s reasonable privacy notification expenses to persons whose personal information may have been subject to a privacy breach.
• Crisis Management Expenses
This section covers the insured’s reasonable costs for outside legal counsel, forensic investigators, public relations consultants, advertising and public relations media and activities.
• E-Business Interruption and Extra Expenses
This section covers the insured’s loss of income, after a 24-hour waiting period until computer operations are restored, as a result of a cyber attack (also immediate coverage is available for expenses needed to continue operating).
• Reward Expenses
This section covers amounts paid by the insured to informants leading to the arrest of the cyber attacker(s).
• Regulatory Action Coverage (part of Cyber Insurance Liability coverage)
This section covers the insured’s defence costs incurred in defending actions brought by Privacy Commissioners and other government regulators.
• E-Threat Expenses
This section covers funds and property where the insured surrenders same due to a threat involving the fraudulent input of data (also covers related expenses).
• E-Vandalism Expenses
This section covers the insured’s costs of blank media and labour to restore data in connection with data vandalism.
• Consumer Redress Funds
This section covers any money the insured must deposit in a fund for the payment of consumer claims as a result of a regulatory action.
Cyber Insurance First Party Coverage
Coverage for costs borne by an organization as a result of a cyber event including direct expenses or lost profits. Included in such coverage are expenses to comply with regulatory notification policies, expenses to fix and restore systems, PR expenses, lost profits due to business interruption, and other costs.
Cyber Insurance Exclusions
Every cyber insurance policy is different, whether it’s first party coverage or third-party coverage (aka Cyber Insurance Liability coverage), and its corresponding exclusions are different as well. Please take this following list as a general list that can materially differ from one policy to another based on how the exclusion is worded or whether it exists within a specific policy. Cyber insurance exclusions include but are not limited to the following exclusions for:
- Fraudulent conduct;
- Prior knowledge of a loss;
- Prior or Pending litigations;
- Bodily Injury and Property Damage;
- Infrastructure Outages;
- Other loss scenarios.
Cyber Insurance Limits
Any one company can find cyber insurance limits of over $300 million. That said the cyber insurance limit to buy largely depends on the cyber risk measurement and assessment of the organization buying the insurance. Many companies make the mistake of relying on benchmarking provided by insurance brokers and companies, such benchmarking is inherently flawed in the way data is compiled. For mid-sized companies and larger, it is important to measure cyber risk accurately and reword any commercial insurance contract to reflect the risk measurement and assessment efforts.
Queries By Country or State
Cyber Insurance Canada
Our team can assist small to multinational Canadian businesses manage their cyber insurance, including negotiations with brokers and triggering the insurance for effective payout, or to provide them with analytics for their own broker negotiations. The cyber insurance market in Canada is competitive, considered to be more sophisticated than the average G7 cyber insurance market, and there is no shortage of brokers and insurers as providers of such insurance. It is however important to have risk experts independent of brokers and insurers who would reword and trigger the insurance for best value.
Cyber Insurance USA
Our team can assist mid-sized to multinational US businesses manage their cyber insurance, including negotiations with brokers and triggering the insurance for effective payout, or to provide them with analytics for their own broker negotiations. The US cyber insurance market is the largest and arguably the most sophisticated in the world. There are many options and effective negotiations with brokers and insurers can lead to very different results than otherwise. Businesses can get very different coverage with the same broker and insurer.
Cyber Insurance New Zealand
Our team can assist mid-sized to multinational businesses in New Zealand manage, reword, and trigger their cyber insurance independently of insurance brokers or companies. We can work with the existing brokers of the business or conduct an RFP to choose an optimal insurance broker either our firm or the business would communicate with.
Cyber Insurance Australia
Our team can assist mid-sized to multinational businesses in Australia manage, reword, and trigger their cyber insurance independently of insurance brokers or companies. We can work with the existing brokers of the business or conduct an RFP to choose an optimal insurance broker either our firm or the business would communicate with.
Cyber Insurance London
Our firm has extensive experience within the London and UK market and can assist mid-sized to multinational businesses in London or the UK manage, reword, and trigger their cyber insurance independently of insurance brokers or companies.
Cyber Insurance UK
Please refer to the section right above.
Cyber Insurance Ireland
Please refer to the section right above.
Cyber Insurance Europe
Our team can assist mid-sized to multinational businesses across Europe manage, reword, and trigger their cyber insurance independently of insurance brokers or companies. We can work with the existing brokers of the business or conduct an RFP to choose an optimal insurance broker either our firm or the business would communicate with.
Cyber Insurance Market In India
Our team can assist mid-sized to multinational businesses based in India manage, reword, and trigger their cyber insurance independently of brokers and insurers, implementing the latest North American techniques regardless of local insurance market dynamics. The cyber insurance market in India is typically inexpensive compared to many other countries however that is because insurers exclude many types of cyber risks that could be relevant to businesses. It is important for Indian businesses to be sure of the purpose of buying Cyber Insurance and not benchmark to local businesses if cyber risk management is their primary focus.
Cyber Insurance UAE
Our team can assist small to multinational businesses based in the UAE manage, reword, and trigger their cyber insurance independently of brokers and insurers, implementing the latest North American techniques regardless of local insurance market dynamics.
Cyber Insurance Hong Kong
Our team can assist mid-sized to multinational businesses based out of Hong Kong or mainland China for cyber insurance management and/or analytics independently of any broker or insurer. We would bring the latest north American techniques and coverage, for both cyber insurance liability or first party coverage, when assisting a business in Hong Kong or mainland China regardless of the capabilities of local brokers and insurers.
Cyber Insurance Singapore
Our team can assist mid-sized to multinational businesses based out of Singapore for cyber insurance management and/or analytics independently of any broker or insurer. We would bring the latest north American techniques and coverage, for both cyber insurance liability or first party coverage, when assisting a business in Singapore regardless of the capabilities of local brokers and insurers.
Cyber Insurance Malaysia
Malaysia is one of the leading Asian countries in terms of awareness and research of Liability Risk, for which Cyber Insurance Liability coverage can be a hedge as it relates to cyber events leading to liability. Our team can assist mid-sized to multinational businesses based out of Malaysia for cyber insurance management and/or analytics independently of any insurance broker or insurance company.
Cyber Insurance Indonesia
Our team can assist mid-sized to multinational businesses based out of Indonesia for cyber insurance procurement independently of any broker or insurer. We would bring the latest north American techniques and coverage, for both cyber insurance liability or first party coverage, when assisting a business in Indonesia regardless of the capabilities of local brokers and insurers.
Cyber Insurance Thailand
Our team can assist mid-sized to multinational businesses based out of Thailand manage their cyber insurance independently of any broker or insurer. Our team would bring the latest north American techniques and coverage, for both cyber insurance liability or first party coverage, when assisting a business in Thailand regardless of the capabilities of local brokers and insurers.
Cyber Insurance South Africa
Our team can assist mid-sized to multinational South African businesses manage their cyber insurance independently of any broker or insurer. South Africa would be the leader in Africa in terms of commercial insurance penetration and coverage, including cyber insurance liability or first party coverage. Our team would bring the latest north American techniques and coverage when assisting a South African business, even if local brokers and insurers do not have immediate capabilities to provide for the latest solutions.
Cyber Insurance Providers
Providers of cyber insurance are plenty ranging from local to regional to international insurance brokers and companies. International brokers include Marsh, Aon, Willis, Gallagher, and others. International insurers include AIG, Zurich, Chubb, Lloyd’s, and others. What is important is to have the insurance reworded and triggered independently of any insurance provider for best value.
Cyber Insurance Underwriting
Many insurance companies have a Cyber Insurance product expert formulating underwriting guidelines. That said, often times there are major flaws in the way the insurance product is underwritten. For the most part, as is the case with other forms of commercial insurance, insurers will take a portfolio approach when underwriting a specific risk as opposed to looking at the detailed operational risk metrics of a specific business. This ultimately leads to a product that is largely not tailored to the specific operations of the insured.
Cyber Insurance Claims
There are many cyber insurance claims around the world, both cyber insurance liability claims as well as cyber first party claims. You can watch the video at the top of this page to skim through some notable cyber events that have led to losses for the businesses involved. If the business had cyber insurance then it would have claimed the insurance, however the question remains whether the insurance effectively paid out on such claims or not. There are various disputes around the world for cyber insurance claims not being paid out by insurers. It is therefore important to reword the insurance contract with the help of risk experts who are independent of brokers and insurers.
Cyber Insurance 101
Cyber insurance is simply protection or insurance against cyber risk, which is the risk of cyber events occurring and leading to financial losses to organizations. It has two coverage parts (1) Cyber Insurance Liability coverage; and (2) Cyber Insurance First Party coverage. Please refer to the section ‘Cyber Risk Meaning’ for a better understanding of the types of cyber risks that should be covered accurately through cyber insurance.
Cyber Insurance Explained
Please refer to the section right above.
How Cyber Insurance Works
First, the insurance has to be connected to the measurement and assessment of the cyber risk of a business. Once the latter is completed, the insurance needs to be reworded to fit the operational details of a business. The product that is reworded is then given to the assigned insurance broker for distribution amongst insurance companies. When a loss happens, the insurance policy must be triggered clinically independently of any broker or insurer for effective payout.
Frequently Asked Questions (FAQ)
Is Cyber Insurance Necessary?
Yes, if you are a business storing lots of customer or sensitive data or if your operations can be adversely impacted by a cyber business interruption event. Keep in mind that Cyber Risk has one of the highest probabilities of occurrence out of all forms of Operational Risk.
How Can Cyber Insurance Mitigate The Risk?
The insurance is made up of two main coverage sections, Cyber Insurance Liability coverage and Cyber Insurance First Party coverage, which outline the various loss scenarios that would be covered by the insurance. Simply put, Cyber risk is the risk of a cyber event occurring and leading to financial loss to an organization. The insurance is one of the most effective ways to mitigate the risk because it indemnifies or reimburses the organization for the financial loss resulting from the risk occurring. This is very important because many organizations think their cyber controls are enough to mitigate the risk, but if we look at various cyber losses across the world, we will note that losses are borne by many top organizations who had some of the best cyber controls in place. It is therefore important to mitigate Cyber Risk beyond the implementation of controls, which is where Cyber Insurance comes into play.
What Does Cyber Insurance Not Cover?
Cyber insurance does not cover various loss scenarios, from malicious acts to bodily injury, that are specifically outlined in the exclusions section of the cyber insurance policy wording. For more information, please refer to the section ‘Cyber Insurance Exclusions’ under Coverage Queries.
How Much Does Cyber Insurance Cost?
Please refer to the section ‘Cyber Insurance Pricing’ under Cost Queries.