Cyber Insurance: Are you sure you’re covered?

Monday, May 2, 2016

By: Keith Fuller

Protecting your balance sheet in the past meant making sure that your property and any additional liability your company has from its day-to-day operations are covered. The world has changed drastically and now you need to be aware of threats from outside entities that you may never know even existed until it’s too late. Cyber-attacks are happening every day and it’s no longer just the large corporations who are the focus. Small- and mid-sized corporations are now being targeted as the ease of a breach is simplified and vulnerabilities are magnified due to their lack of resources. A cyber-attack on a smaller company can be devastating and according to Paychex, 60% of small and medium sized businesses go out of business within six months of a cyber-attack. Understanding your insurance options and ensuring you have the proper coverage is critical to surviving a cyber-attack.

Every day we wake up to reports of another major corporation having been breached via a cyber-attack. While it’s often difficult to immediately grasp the full scope of the breach, the damage often extends beyond solely the organization – directly impacting clients and employees who have entrusted the firm with their private data. Preparing for such an attack is nearly impossible, as technology is rapidly evolving and hackers are constantly finding new ways to steal sensitive information; however, it is possible to make sure your organization is protected and it begins with understanding your insurance options and ensuring you have proper coverage.

We have reached a point in our society where we are so reliant on the Internet for conducting business that cyber insurance is a necessity. Without it, the effects of a breach can be so crippling that a single event can bankrupt an organization overnight. The good news is that most carriers now offer cyber policies, but cyber insurance is still so new that there is not a standard policy form and each carrier has approached their cyber policies in different ways.

At Smith Brothers, we receive questions on a daily basis from clients and prospects asking if their current cyber coverages are protecting them from the effects of a cyber-attack. The truth is, the policies can’t protect you, but they will help relieve some of the costs that would be incurred with such a breach. A trusted risk advisor will help you better understand your options, but below are three things you need to know about cybercrime and how it impacts your policy.

1. Cyber insurance does not cover the loss of securities (money, stocks etc.). When we hear about a cyber breach in the news, we always hear about the money that is stolen by hackers and the total cost of the breach. In reality, these should be viewed as separate scopes. When money is stolen due to a cyber breach, the coverage for this loss would potentially fall under your crime policy and is not covered under your cyber policy.

What may be covered are the expenses incurred by the company to remediate the breach. These include items such as public relations costs, providing victims with credit protection as required by law, any fines imposed and defense costs due to civil suits from the breach. When evaluating cyber policies, it is important to make sure these costs are covered.

2. Cyber breaches aren’t only accomplished by breaching your network and stealing data. There are many ways a breach can occur and each policy covers different types of breaches in different ways. Some breaches may be covered on the base form, while others will require an endorsement for coverage. Make sure your trusted advisor explains how each is covered in your policy. Below are some common breaches we come across.

  • Ransomware: Wired magazine defines Ransomware as Malware that locks your keyboard or computer to prevent you from accessing your data until you pay a ransom. The malware has been developed by attackers to the point that it will now encrypt your data with a pin that only the attacker knows and your data will not be released until you pay the ransom.
  • Social Engineering: As described by Techtarget, Social Engineering is a “non-technical method of intrusion attackers use that relies heavily on human interaction and often involves tricking people into breaking normal security procedures. Attackers are generally relying on a person’s nature to be helpful.” Examples of this are phishing emails, pretexting (requesting information for verification) or spam.
  • Denial of Service (DOS) Attacks: This is a type of attack where the attackers attempt to prevent legitimate users from accessing the service. Essentially what it does is prevent access to the network by flooding the network with invalid messages and data which then dramatically slows or disables the network.
  • Theft of mobile devices: Surprisingly, most companies never even consider this a threat. But think about it for a second. How easy is it for a phone, tablet or even a laptop to be stolen? Most companies have some security on these devices to keep them from being opened, but one that often seems to get overlooked is flash drives. How many flash drives do you have that are encrypted? Do you know what data your employees are putting on those flash drives? Make sure to work with your risk advisor to ensure that your cyber policy covers the loss of data through these devices.

3. Each cyber policy is different: As I mentioned earlier, due to the ever-changing technology, cyber exposures are changing daily. It’s important to find a trusted advisor who is knowledgeable in cyber insurance and has conducted an analysis of the different policies to make sure that you are properly covered for your exposures. You also want someone who is going to stay up to date on the changes in cyber insurance, as it is incredibly complex and many business owners do not have the time nor capacity to do it themselves.

The sad fact is that breaches are only going to become more common as criminals develop new ways to steal corporate data, and while it may be impossible to stop them it is possible to mitigate the effects of such an attack. There is currently a lot of confusion surrounding cyber insurance and a risk management advisor who has spent time to understand your business can help you match the appropriate policy to your business model and make sure your company is properly insured.

This article is to give the reader a general awareness level of some issues related to cyber insurance. All policies are different and each entity has unique exposures, so consult your advisor and legal counsel to conduct a specific risk analysis and establish a risk transfer program for your business.


Keith Fuller is a Commercial Lines Risk Advisor at Smith Brothers USA. He can be reached at

View Article List