About
Foundational Principles In the Community Diversity, Equity & Inclusion Technical Excellence Alumni TIAG Membership
Careers
Why Cohen & Company Our Culture Total Rewards & Benefits Intern & Entry Level Opportunities Experienced Opportunities
Contact
Akron, OH Baltimore, MD Chicago, IL Cleveland, OH Detroit, MI Milwaukee, WI New York, NY Philadelphia, PA Pittsburgh, PA St. Clair Shores, MI Youngstown, OH
Client Portal
Services Industries Knowledge Center People

About Our Services

We offer tailored solutions — whether private company or owner; public or private fund, adviser or fund service provider; or Fortune 1000 enterprise. Learn how we can help you.

Learn More

Assurance Services

Employee Benefit Plan Audits Internal Controls Investment Company Audits Private Company Audits SOC Readiness & Compliance

Tax Services

Federal Tax Planning & Compliance High Net Worth & Wealth Transfer International Filings & Structuring Investment Company Tax State & Local Tax Tax Credits & Incentives Transaction Tax Planning

Advisory Services

Business Valuations Data & Insights Digital Finance Solutions IT Strategy & Implementation M&A Advisory Outsourced Accounting Solutions Risk Assurance & Advisory Transaction Services Turnaround & Restructuring

Our Industry Expertise

Our industry experience means you can find professionals who speak your language and bring earned insights to the table. Learn how we can help you.

Learn More

Key Industries

Digital Assets Investment Companies Manufacturing Private Companies Private Equity Real Estate & Construction Technology & Life Science
VIEW THE COMPLETE LIST

Knowledge Center

Our team wants to help your team stay up to date. Browse our thought leadership, events and news for insights and a point of view on business-critical topics.

Learn More

Insights

Browse valuable articles and publications our experts have written to help you and your organization answer key questions — and consider new ones.

Read Our Insights

Events

Join us in person and online for events that address timely topics and key business considerations.

Explore Our Events

News

Find out what is happening at Cohen & Company, from industry recognitions and growth updates, to where we are contributing to important media stories.

Read Our News
People
Foundational Principles In the Community Diversity, Equity & Inclusion Technical Excellence Alumni TIAG Membership
Why Cohen & Company Our Culture Total Rewards & Benefits Intern & Entry Level Opportunities Experienced Opportunities
Akron, OH Baltimore, MD Chicago, IL Cleveland, OH Detroit, MI Milwaukee, WI New York, NY Philadelphia, PA Pittsburgh, PA St. Clair Shores, MI Youngstown, OH
Client Portal
Back to Insights

5 Cyber Liability Insurance Fundamentals for Your Business

July 09, 2021 Risk Assurance & Advisory, IT Risk Advisory

In this installment of our cyber safety series, learn why securing a cyber liability insurance policy can be critical to your overall cybersecurity program.

Cyber liability insurance. What is it, and is it really necessary? Cyber liability insurance is a policy that helps cover costs associated with data breaches and other cybersecurity attacks, such as:

  • Lost income caused by a cybersecurity incident,
  • Costs to notify customers,
  • Costs to pay regulatory fines, and
  • Costs to investigate and recover from a breach.

So, is this type of policy necessary? In most cases, yes. If your organization uses technology, securing a cyber liability insurance policy can be critical to your overall cybersecurity program. Below are some key considerations to keep in mind when purchasing cyber liability insurance.

1. Identify Your Risks

One of the first steps to take when purchasing cyber liability insurance is to understand the risks to your organization and your ability to address those risks. This starts with a comprehensive cyber risk assessment, including assessing your technology risks (such as system vulnerabilities, data encryption, and IT policies and processes) and non-technology risks (employee training and bring-your-own device policies). 

Your risk assessment should also consider external factors, such as your industry and geographic locations. Certain industries like healthcare and finance tend to be more attractive targets for ransomware and other attacks. This increased risk may lead to additional scrutiny from your insurer and ultimately higher premiums. 

Identifying and understanding your organization’s cybersecurity risks, and your ability to manage them, will allow you to better evaluate policy options and coverage amounts, identify possible gaps in coverage, and determine how much risk to assume and how much to transfer to the insurer.

2. Know Which Type of Cyber Liability Coverage You Need

There are generally two types of cyber liability coverage: first-party liability and third-party liability. Let’s take a look at each.

First-Party Liability Coverage

First-party liability insurance covers costs incurred from a breach of your own systems that resulted in losses. These costs may include losses due to extortion from ransomware, theft or destruction of your data, interruption of your ability to conduct business, and costs associated with investigating and recovering from a cyber incident.

Third-Party Liability Coverage

Third-party liability insurance is intended for organizations in possession of third-party data or organizations responsible for developing, installing or managing the systems that secure third party data, such as cloud software providers. This type of policy may include coverage for costs stemming from privacy claims from your customers and employees, regulatory actions, notifying third parties affected by the breach and resulting litigation.

Whether you need first-party liability, third-party liability or both will depend on the services your organization provides. For certain organizations, such as those that install or manage computer networks, develop software systems or provide cloud services, third-party liability coverage is essential. For organizations that do not have custody of, or responsibility for, third-party data, first-party liability coverage is likely sufficient.

3. Be Clear on What Your Policy Covers

Your cyber liability coverage should be aligned with your level of cybersecurity risk, as identified during the initial assessment phase. Your coverage should also be aligned with your organization’s risk appetite. Cyber insurance coverage ranges from the basics — such as costs for covering ransomware, business interruption and breaches at third-party organizations — to less obvious costs, such as those associated with forensic investigations and litigation expenses.
 
In determining the extent of coverage your organization may need, consider factors such as the types of services you offer, the impact of cyber attacks on other organizations in the same or similar industry, and the types of data to which your organization has access. You should also consider regulatory obligations with which your organization must comply, including possible regulatory fines should you fail to manage a security breach in accordance with regulations. Data breach notification fines can be significant. Recent examples include Uber, which received a $148 million fine for violating state data breach notification laws, and Yahoo, which was assessed a $35 million fine for failing to disclose a data breach. 

4. Understand and Plan for Exclusions

Exclusions are the circumstances or conditions under which the insurance provider does not cover a cybersecurity incident. When securing cyber liability insurance, it is paramount that you understand the exclusions in your policy, as insurers will quickly deny coverage based on them.
 
Some common cyber policy exclusions include:

  • Failure to maintain minimum security standards. Be sure to understand any minimum security requirements your policy requires and take steps to meet them.
  • Incidents resulting from war, terrorism or insurrection. As this is a broad exclusion that could potentially exclude incidents from state sponsored cyber attacks, you should ask your provider to modify this clause to ensure acts of cyberterrorism are included in your policy.
  • Other frequent exclusions. Also be aware of prior acts (acts that took place before the policy went into effect), regulatory fines and breaches stemming from third-party organizations.

Take the time to understand all exclusions in your policy and consider the impact they could have on your policy’s ability to meet your needs. Speak to your insurance broker about any concerns, and if you are unable to remove a particular exclusion, consider purchasing additional coverage to address the risk.

5. Consider the Importance of Retroactive Coverage

Like most insurance policies, your cyber liability policy will likely include a retroactive date. Losses resulting from incidents that occurred prior to the retroactive date will be excluded from coverage. The retroactive date is of particular importance to cyber insurance policies, as it is not unusual for months or sometimes years to pass before a cyber security breach is identified.

To obtain coverage for breaches that may have not yet been discovered, consider purchasing retroactive coverage as part of your policy. The retroactive date is normally the day the insurance policy first goes into effect. For an additional premium you can often negotiate a retroactive date that pre-dates the day the policy first goes into effect.

When determining if you should extend the retroactive date, and how far back you should go, look not only at the additional cost of the insurance premium but also the overall cyber risk to your organization and the likelihood of having an undetected cybersecurity breach.

Putting It All Into Perspective

As part of a broader cybersecurity program, cyber liability insurance is one of the most important tools in your cybersecurity toolbelt.

Before purchasing any amount of cyber liability insurance, evaluate all relevant factors. Understand and cautiously consider your risks as an organization, the type of insurance and how much you need, the time period covered by the policy, and any and all possible exclusions. And when selecting an insurer, try to find one with experience in your industry who can partner with you as a risk adviser. 

Contact a member of your service team to discuss this topic further.

Cohen & Company is not rendering legal, accounting or other professional advice. Information contained in this post is considered accurate as of the date of publishing. Any action taken based on information in this blog should be taken only after a detailed review of the specific facts, circumstances and current law.

Related Insights

Article

6 Things to Do Now to Protect Your Business from Cyber Risks

Read More

Sign Up for Our Emails & Events

Receive insights from our specialists in a variety of areas and timely information on upcoming events directly to your inbox as they go live in our online Knowledge Center.

Subscribe Today
Subscribe to our newsletter
About Contact Submit RFP Privacy Policy
LinkedIn Twitter Facebook
© 2023 Cohen & Company