What Cyber Insurance Covers

Every company faces cyber risk, no matter their size. But the bigger you are, the more areas of vulnerability you have. We identify the most prominent cyber risks as privacy risk, information risk, and operational risk.

Generally, cyber insurance is designed to protect your company from these primary risks through five distinct insuring agreements: network security, privacy, interruption to your business, media liability, and errors and omissions. In particular, network security and privacy liability can include both first-party and third-party costs. Let’s go into each element and what specific cyber risk it covers.

Network Security

A Network Security coverage grant is important for most companies, including those subject to information risk and privacy risk. This aspect of cyber insurance covers your business in the event of network security failure; which can include a data breach, malware infection, cyber extortion demand, ransomware, or business email compromise. Network security coverage includes first party costs––expenses that you incur directly as a result of the cyber incident, including:

  • Legal expenses
  • IT forensics
  • Negotiation and payment of a ransomware demand
  • Data restoration
  • Breach notification to consumers
  • Setting up a call center
  • Public relations expertise
  • Credit Monitoring and Identity Restoration

Privacy Liability

Privacy Liability coverage is also important for most companies, particularly those with information risk or privacy risk. Customer and employee information can be sensitive and breaches or violations that expose such data not only threaten the security of those compromised, but expose your business to liability. Privacy Liability coverage protects your company from those liabilities arising out of a cyber incident or privacy law violations. These third-party costs can arise, for example, from liabilities required in a contractual obligation, all the way to regulatory investigations by governments and law enforcement. Here are two examples:

  • Defending your organization from consumer class action litigation and funding a potential settlement in the event of a cyber incident or data breach.
  • Legal expenses, fines, and/or penalties incurred due to a regulatory investigation by government or law enforcement; both federal and foreign. Imagine what would happen to your company if a foreign governmental body investigated and levied a penalty on your company for a privacy event or violation , especially with new regulations such as GDPR and CCPA granting consumers increased rights with regard to their personal information. Another cyber risk area is FTC privacy consent decrees and their respective fines or penalties.

Network Business Interruption

How dependent is your organization on technology to operate? Network business interruption coverage provides a solution for companies that face an operational cyber risk. When your network, or the network of a provider that you rely on to operate, goes down due to an incident, you can recover lost profits, fixed expenses and extra costs incurred during the time your business was impacted. This includes loss arising from:

  • Security failures, like a third-party hack.
  • System failure, such as a failed software patch or human error.

Media Liability

This provides coverage for intellectual property infringement, other than patent infringement, resulting from the advertising of your services. It often applies to both your online advertising, including social media posts, as well as printed advertising.

Errors and Omissions

A cyber event could keep you from fulfilling your contractual obligations and delivering services to your customers. E&O covers claims arising from errors in the performance of or failure to perform your services. This can include technology services, like software and consulting, or more traditional professional services like lawyers, doctors, architects, and engineers. E&O coverage addresses allegations of negligence or breach of contract should this occur, and can include legal defense costs or indemnification resulting from a lawsuit or dispute with your customers.





The Best Cyber Insurance Is As Unique As You Are

A one size fits all policy is rarely the best fit for most companies. It’s true that most cyber policies contain some combination of the above coverage elements; and in a well-brokered cyber insurance policy, the basic insuring agreements will be covered up to the full policy limits.

But beyond the basic insuring agreements, there are numerous available coverage additions which are more nuanced, and provide better coverage––especially for new buyers and situations that are not already well understood. These enhancements to a cyber insurance policy are not always available unless you know what to ask for; and if they are available they are generally sub-limited to an amount less than the full policy limit. Here are just a few:

Social Engineering

Those pesky phishing emails can do real damage to your cash flow. Social engineering coverage is designed to protect companies from funds transfer fraud situations. The most common example is an employee duped into sending money from your bank accounts to a malicious hacker. Social engineering coverage can also be found on most modern crime insurance policies, sometimes at higher sub-limits and broader coverage than on a cyber-specific insurance policy. It’s important to work with your broker to understand how a cyber and crime insurance policy can work together on social engineering coverage to your benefit.

Reputational Harm

Reputational harm is the continuing profit impact of a cyber event due to brand reputation damage. This is usually limited to a specific time period and includes aversion to a brand following a publicized cyber event, such as a privacy event or security breach.


This enhancement covers the replacement cost of technology equipment which is rendered useless by a malware attack. If your laptop or server becomes as useful to your corporate network as a masonry brick, you’ll know where to look for coverage.


Cyber Insurance: What’s Not Usually Covered

As with all insurance policies, there are exclusions which are important to understand. Cyber insurance policies generally do not cover:

  • Potential future lost profits
  • Loss of value due to theft of your Intellectual Property
  • Betterment: the cost to improve internal technology systems, including any software or security upgrades after a cyber event

Be aware that just because you have other policies that may be activated in the event of a cyber incident, there are probably gaps around which damages they’ll actually pay. In fact, there are a number of lawsuits from companies against insurance carriers due to their cyber claims not being covered by non-cyber policies. These lawsuits bring up the important concept of Silent Cyber – otherwise understood as traditional insurance policies such as property liability, general liability, or directors and officers insurance being silent on whether they will cover some of the consequences of a cyber attack.

Cyber Liability Insurance Costs

Cyber insurance costs vary widely, depending largely on how much risk your business faces. A small business that stores data but has relatively few customers can expect to pay between $800 – $2,000 per year. A larger business with more revenue and more clients might pay up to $7,500 annually.