Building Your Business Business Insurance What Does Cyber Liability Insurance Cover? Cyber policies aren't standardized so they vary widely By Marianne Bonner Marianne Bonner Facebook Twitter Marianne Bonner, a certified CPCU and ARM, has covered small business insurance topics for The Balance since 2013. She worked in the insurance industry for 30 years as an analyst and underwriter among other roles and holds multiple professional designations. Along with The Balance, Marianne has written many articles for International Risk Management Institute's Risk Report. learn about our editorial policies Updated on March 12, 2021 Share Tweet Pin Email In This Article View All In This Article What Is Cyber Liability Insurance? Coverage for Costs of a Breach Coverage for Claims and Lawsuits What Cyber Policies Don't Cover Photo: Erik Isakson / Getty Images Many small businesses use computers to send, receive, or store electronic data. Important data may be contained in sales projections, tax records, contingency plans, and other company documents. If such information is lost, damaged, or stolen due to a security breach, it may be difficult and costly to restore. A data breach can also trigger third-party claims or lawsuits if it involves personally identifiable information such as social security numbers, health records, and credit card numbers. Businesses can protect themselves against the costs associated with data breaches by purchasing a cyber liability policy. Examples of cyber policies are The Hartford's CyberChoice, Travelers' CyberRisk. and Philadelphia's Cyber Security product. What Is Cyber Liability Insurance? Cyber liability insurance covers financial losses that result from data breaches and other cyber events. Policies vary widely because most insurers that offer cyber coverage use forms they've developed themselves. Many policies include both first-party and third-party coverages. First-party coverages pay out-of-pocket expenses that a firm directly incurs as a result of a breach. Third-party coverages apply to damages or settlements a business is obligated to pay as a result of claims or suits for injuries that result from the company's actions or failure to act. For instance, a client sues his therapist for negligence after a hacker breaches the therapist's computer system, steals the client's treatment records, and releases them online. Many cyber policies provide a range of coverages, some of which are automatically included and others that are optional. A separate limit may apply to each coverage. Some coverages may apply only after the insured business has paid a deductible or a retention. Note Cyber liability policies contain many defined terms. The meanings of these terms are important because they determine the scope of coverage provided. Coverage for Costs of a Breach Here are some first-party coverages you are likely to find in a cyber liability policy. These reimburse the business for costs it's already incurred. Data restoration: Covers the cost to replace or restore electronic data, programs, or software damaged or destroyed by a hacker attack, a virus, denial of service (DoS) attack, or other covered peril. Loss of income and extra expenses: Covers income losses sustained by a business and extra expenses it incurs to restore its operations following a shutdown caused by a computer virus, hacker attack, or other covered peril. Some policies cover income a business loses because a supplier, distributor, or other company that it depends on has been forced to shut down due to a data breach. Cyber extortion: Covers a ransom paid to a hacker who's breached a company's computer system and threatened to commit a nefarious act like damaging data, introducing a virus, initiating a DoS attack, or releasing confidential data unless the ransom is paid. Policies generally cover any extortion payment made with the insurer's consent plus related expenses, such as the cost of hiring an expert to negotiate with the extortionist. Notification costs: Covers the cost of notifying parties whose data has been affected by a data breach. This coverage is important because most states have laws requiring businesses to inform individuals when their personal information has been compromised. Policies may also cover the cost of providing credit monitoring services and establishing a call center. Crisis management: Most cyber policies afford some coverage for crisis management expenses. Depending on the policy, coverage may include the cost of hiring an attorney, forensic accountant, computer expert, or public relations expert to assess the scope of the damage, determine whose data was compromised, help mitigate the loss, and protect the company’s reputation. Note Most small businesses pay an annual premium of $2,000 or less for a cyber liability policy. Coverage for Claims and Lawsuits Many cyber policies include liability coverages like those outlined below. These coverages are usually claims-made. They typically cover damages or settlements plus defense costs, which may be covered within the limit or in addition to the limit. Network security and privacy liability: Covers claims against the business arising from negligent acts, errors, or omissions such as the failure to protect sensitive data, the failure to provide notification of a data breach, or the failure to prevent a security breach that results in a DoS attack or the introduction of a virus. Electronic media liability: Electronic media liability insurance covers lawsuits against the business for acts like libel, slander, defamation, copyright infringement, invasion of privacy, or domain name infringement. Generally, these acts are covered only if they result from the policyholder's publication of electronic data on the Internet. Regulatory proceedings - Covers fines or penalties imposed on the business by regulatory agencies that oversee data breach laws. Also covers the cost of hiring an attorney to help respond to a regulatory proceeding. What Cyber Policies Don't Cover Like all insurance contracts, cyber policies exclude certain types of claims. Here are some typical exclusions: Bodily injury and property damage. Intentional dishonest acts committed by the insured. War and terrorism. Contractual liability. Utility failure. Cost of restoring computer systems to a higher level of functionality than they were previously. Acts committed before the retroactive date (if the policy has one). Was this page helpful? Thanks for your feedback! Tell us why! Other Submit Sources The Balance uses only high-quality sources, including peer-reviewed studies, to support the facts within our articles. Read our editorial process to learn more about how we fact-check and keep our content accurate, reliable, and trustworthy. National Conference of State Legislatures. "Security Breach Notification Laws." Accessed March 12, 2021. Willis Towers Watson. "Cyber Insurance: An Overview." Page 12. Accessed March 12, 2021.