A cyber policy is a valuable protection for many small and mid-size businesses that are at risk of data breaches, malware infections or cyber extortion demands. It also protects against privacy liability issues such as business email compromise or ransomware.

But in today’s market, many insurers are raising premiums, weakening coverage terms and imposing stricter underwriting guidelines. That’s making it difficult for businesses to secure adequate coverage.
Coverage

Whether it is a data breach affecting your customer information, an attack on your business or a cyber crime against an employee, cyber insurance can protect you from a wide range of claims and losses.

As the threat actors become increasingly sophisticated, the risks are escalating. They are increasingly focusing on the foundational aspects of businesses’ IT infrastructure, including web hosting and content management systems.

Ransomware and other threats are targeting these foundational elements of IT and requiring access to the network, making it more difficult for businesses to defend themselves. Even the most advanced organizations are vulnerable to these attacks.

To help protect against the rising risk of a data breach, many companies are adopting a cyber hygiene approach. They’re proactively assessing their system, testing and updating the software, and educating employees about security threats, among other things.

One of the more popular approaches is to transfer risk through insurance. Typically, this involves transferring the coverage of a cybersecurity breach to the insurer, in exchange for a higher premium.

But the market has responded to these emerging risks by increasing prices, scrutinizing security controls, and offering co-insurance or sub-limits that limit how much you can claim. This approach is designed to drive policyholders to take more responsibility for their own security, by requiring them to notify the insurer quicker of suspicious activity or the potential for a loss.

This type of coinsurance is often paired with stronger cybersecurity practices, such as implementing multifactor authentication (MFA) for all cloud resources and privileged administrator login credentials. MFA is a critical part of protecting sensitive data and can significantly reduce the cost of recovery from cyber breaches.

These types of cybersecurity programs may be rewarded with lower cyber insurance premiums, depending on the insurer and risk profile of the company. However, it’s important to note that these premium savings don’t automatically follow up with a reduction in claims or losses.

Another risk area in the cyber marketplace is infringements of intellectual property rights, such as copyright infringement or trademark infringement. Depending on your industry, this could be a violation of a patent or trademark by another entity, or it can be caused by your own inadvertent error in the performance of a service.
Sub-limits

Cyber insurers are implementing sub-limits on coverage for specific types of losses and expenses. Whether you’re buying a cyber policy for the first time or evaluating an existing one, you’ll need to know how these limits apply and if they’re sufficient for your business’s needs.

As cyber threats continue to rise, the market is adjusting to the new reality by offering sub-limits for certain coverages. For example, a sub-limit may be introduced for ransomware attacks.

The threat of ransomware is a major concern for cyber insurance carriers, and they are introducing these sub-limits in order to keep the cost of insurance down while ensuring the security of their customers’ data. These policies typically include a ransomware sub-limit that applies to any losses arising out of a ransomware attack, including defense costs, regulatory loss, breach response costs, brand loss, cyber extortion, digital asset loss, business interruption loss and computer crime loss.

In addition to sub-limits, some carriers are also adding a co-insurance requirement, which hovers around 25% of the insured’s total loss. This co-insurance is designed to encourage businesses to take action faster and improve their security controls.

It’s important to understand the impact of these sub-limits and co-insurance on your client’s business, and what it means for the insurance coverage your firm recommends. The key is to look for insurers who offer consistent coverage elsewhere and are willing to work with clients on a regular basis to improve their security controls.

These sub-limits and co-insurance are often introduced during a time of significant risk in the cyber insurance market, so it’s essential to keep your clients informed about this trend as it happens. This way, your clients can make informed decisions about how much coverage to buy and which insurer is the best fit for them.

Many organizations are surprised when they find their policies have “trapdoors” that limit funds for specific risks, according to Scott Godes, partner at Barnes & Thornburg. This is especially true for coverage that is intended to protect against social engineering fraud, such as phishing.

While these sub-limits and co-insurance are designed to help cover the costs of certain losses, they can come with serious consequences if your clients don’t carefully read their cyber policies and make sure the sub-limits and co-insurance are appropriate for their risk profile. For instance, a recent case involving the Hotel Monteleone illustrates how a policy’s $200,000 sub-limit can be difficult to interpret and can have a dramatic impact on a client’s claim.
Co-insurance

Cyber coinsurance is a way for insureds to share the costs of a cyber attack with their insurer. Essentially, if a company is hit by ransomware, they can ask their insurance provider to cover the cost of restoring their data or securing their infrastructure.

This can help organizations recover losses incurred due to a cyber incident, such as lost profits and expenses related to a business interruption. It also covers the cost of forensic investigation and remediation efforts.

To secure cyber coinsurance, insureds need to show they have strong information security practices in place. Ideally, they should be deploying multi-factor authentication (MFA) on email and privileged IT accounts, securing domain servers, remote access ports and patches, and having comprehensive risk mitigation policies in place.

Insurers are also looking for strong security and disaster recovery plans. These should include testing and training, frequent monitoring and patching, and a comprehensive business continuity strategy.

The demand for cyber insurance has risen consistently over the past two years, especially as threat actors have become more sophisticated in their attacks. In fact, Marsh reported that 42% of their clients purchased cyber coverage in 2019—more than double the number from 2014.

However, many organizations are struggling to secure the coverage they need. This is largely due to doubling premium increases, weakened coverage terms and stricter underwriting guidelines.

Fortunately, there are ways that retail brokers can help their clients get the cybersecurity insurance they need. By providing education on the current state of the market, helping insureds understand the services available to improve their cybersecurity and packaging submissions to make them more appealing to carriers, they can make a difference in the cyber market.

It is critical for clients to understand that cyber insurance is a long-term investment, rather than just a short-term protection. Those who approach the cybersecurity market as a long-term investor are more likely to get the most favorable results for their businesses.
Brokers

Cyber coinsurance is an additional layer of insurance that can cover the costs associated with data breaches. It can be purchased as an add-on to a cybersecurity policy or as standalone coverage, depending on the needs of the client. It can provide first-party coverage, which covers expenses related to data loss or damage, and third-party liability coverage, which provides protection for legal costs and fines that result from a data breach.

AIG is the leading insurer of cyber coinsurance, offering a broad suite of products for both small and large businesses. It offers coverage for both first- and third-party losses, including data loss and business interruption, as well as third-party liability for libel and slander.

The company also offers a variety of services, including data backup and disaster recovery. It also specializes in cyber risk management, and works with clients to implement security measures and identify potential threats.

At-Bay Insurance is a full-service broker that focuses on delivering cybersecurity and technology E&O solutions. Its brokerage platform, branded ProWriters, allows brokers to provide instant bindable quotes for business insurance policies in seconds.

Its CyberClear suite includes a wide range of options for brokers, including first-party response costs, third-party liability fines, and cyber crime and data breach coverage. Additionally, it offers a variety of optional coverages, including business interruption and social engineering. Apple Gift Card and digital currency


Another cyber-focused insurer, CNA, offers a wide array of products for both small and large businesses. These include business owners' policies (BOPs) that incorporate cyber liability coverage, as well as more sophisticated products for large businesses and financial institutions.

The company is particularly geared towards high-risk financial institutions, as well as for small to medium-sized businesses that need extra protection. Its policies also include co-insurance.

To be eligible for cyber coverage, a business must prove a certain level of cybersecurity, much like you need to have a front door and a lock on it before you can buy home insurance. Typically, the insurer will take a look at your size and sector of business, the number of systems you have and how secure they are.