Does Your Company Need Cyber Insurance?

If your business processes personal information—and especially health information or nonpublic financial information—you should consider cyber insurance. The kind of technological attacks previously confined to movie plots are now frighteningly common in the real world. As the number of people conducting business activities at home on their own devices has significantly increased during the pandemic, the cyber security risks have grown as well.

Most standard commercial general liability insurance policies do not cover damages resulting from a cyberattack. And even if your insurance covers property damage, “property damage” is typically limited to tangible property, and electronic data are usually specifically excluded.

Cyber insurance addresses gaps in traditional coverage. However, in this new, complex, and rapidly-evolving field, how can you be confident that your company has the protection it needs?


Business data firm Statista reports that the worldwide number of web-based attacks blocked per day increased more than 50 percent between 2017 and 2018. Estimates of the total costs of cybercrime in 2019 vary, but the high end of the range exceeds $2 trillion. Research conducted by IBM found that the average cost of a data breach worldwide is just under $4 million and the average cost per lost or stolen record is $150.

The American Academy of Actuaries found that cybersecurity is ranked the number one concern among corporate risk managers. According to Statista, 34 percent of U. S. companies owned a stand-alone cyber insurance policy in 2017. If you don’t yet own a policy, should you?


First, some basic terminology. Types of coverage differ based on the identity of the insured.

First-Party Coverage encompasses:

  • Recovery and replacement of lost or stolen data

  • Legal costs to determine your notification obligations and other regulatory requirements

  • Call center and customer notification services, including printing and mailing notice letters

  • Providing credit monitoring and other mitigation services

  • Crisis management and public relations costs

  • Lost income due to business interruption

  • Creating security policies and templates

  • Forensic services to investigate the breach

  • Additional security training for employees and consultants

  • Cyber extortion and fraud

  • Fees, fines, and penalties related to the security incident

Third-Party Coverage provides payments for:

  • Damages to those affected by the breach

  • Claims and settlement expenses relating to disputes or lawsuits

  • Losses related to defamation and copyright or trademark infringement

  • Costs for litigation and responding to regulatory inquiries

  • Other settlements, damages, and judgments

  • Accounting costs

Some other broad categories of coverage include:

  • Network Security, encompassing:

    • Third-party data breaches

    • Theft of intellectual property

    • Theft of sensitive data

    • Denial of service attacks

    • Ransomware demands

    • Network failures

    • Terrorist acts

  • Media Liability, such as:

    • Copyright/trademark infringement

    • Libel/slander

  • Privacy Liability (meaning everything else not otherwise covered), including;

    • Theft of devices

    • Notification of affected parties

    • Regulatory fines

    • Crisis management

    • Forensic investigation


  • Bodily injury

  • Property damage

  • Employment practices

  • Pollution

  • Antitrust violations

  • Employee Retirement Income Security Act violations

  • Telephone Consumer Protection Act (TCPA) violations

  • Intentional acts by directors and officers

  • Unlawfully collecting personal identifiable information (PII) or other non-public information

  • Negligent information security practices (for example, failing to install software patches to address known vulnerabilities)


Legal counsel can assist you in:

  • Identifying the insurers who offer the product(s) best suited to your business’s needs

  • Evaluating the scope of coverage offered under your existing policies, if any

  • Finding and removing policy language that could lead to litigation or denial of coverage

  • Negotiating favorable terms with carriers regarding:

    • Applicable laws

    • Acts by third parties, such as external data centers and cloud storage providers

    • Regulatory investigations

    • Unencrypted devices

    • Data restoration and system upgrade costs

  • Filing claims

  • Reassessing coverage periodically as technological capabilities, business needs, and insurance markets evolve


The lack of standardization in this developing area offers both opportunities for the proactive and pitfalls for the unwary. In the absence of established policy standards, you have a lot of freedom to negotiate a policy customized to meet your needs.

At the same time, new terms and provisions may not be entirely clear even to those with insurance experience. For example, the notoriously wordy and dense definitions of technical terms may include significant exclusions. Careful review of these definitions for “hidden” exclusions is one important way that your legal counsel can help you obtain the best coverage for your business at an appropriate price.

Is your organization considering cyber insurance? If yes, please be sure to reach out to Michael Ridgway Jones at to learn more.

Share on facebook
Share on twitter
Share on linkedin