Glossary of Cyber Policy Coverages

There are a lot of coverages provided in a standard cyber insurance policy.

Glossary of Cyber Policy Coverages

While I'm working on a more comprehensive overview of Cyber for 2024, I thought it worthwhile to share a glossary of cyber coverages available on the market.

Cyber policies generally cover two groups

  1. First-Party Liability: These cover the expenses your business may incur following a data breach or other cybersecurity attack on your network or systems.
  2. Third-Party Liability: Thes cover damages or settlements the organization must pay due to suits or claims for injuries resulting from the organization’s actions or failure to take action.

Cyber insurance is fast-changing coverage. As carriers go through more claims events and help clients work through cyber events, policy language, exclusions, and inclusions will change.

It's also competitive between carriers, with more offering this coverage type every year. At the time of this writing, a cyber policy with a $1M limit averages $2,000 for an annual policy, depending on the type of risks present.

Common Exclusions

Insurance is sometimes best understood backwards, by first knowing what is excluded. Here are a few of the common exclusions found in policies.

Poor Security Processes

Attacks that occur due to ineffective security processes or poor configuration management.

Prior Breaches

Security events or breaches that occurred before the organization purchased a cyber insurance policy.

Human Error

Cyber attacks caused due to human error by the organization’s personnel.

Insider Attacks

Data theft or loss occurring due to an insider attack by an employee.

Pre-existing Vulnerabilities

Breaches that occurred because the organization failed to correct or address a previously-known vulnerability.

Technology System Improvements

Costs related to technology improvements, such as hardening networks and applications.

First Party Coverages

Breach Response & Remediation

A breach is defined as the unauthorized acquisition of covered information that compromises the security, integrity, or confidentiality of covered information. Coverage for response and remediation costs associated with a breach. This includes legal fees, customer notification, IT/digital forensics, and crisis media relations, among others.

Companies can be required to provide free credit monitoring services for at least 12 months if a data breach exposes their customers' Social Security numbers. However, companies may not be required to provide credit monitoring if it is determined that the affected individuals won't be harmed. 

Cyber Business Interruption

Coverage for financial losses due to a cyber event that causes degradation to your computer system. It usually requires a time retention (see Business Interruption Waiting Period).

Dependent Business Interruption

Coverage for financial losses due to a cyber event when a 3rd party provider experiences a cyber event that causes you disruption; 3rd parties often include cloud providers or other software/services/hosting providers.

System Failure

Coverage for financial losses due to business interruption resulting from an unplanned or unintentional outage, often caused by employee error or power outage.

Dependent System Failure

Coverage for financial losses due to business interruption resulting from an unplanned or unintentional outage of a system operated by a 3rd party vendor, often caused by employee error or power outage.

Business Interruption Waiting Period

A time retention is typically applied to cyber business interruption and system failure.

Dependent Business Interruption Waiting Period

A time retention is typically applied to cyber-dependent business interruption and dependent system failure.

Ransomware / Cyber Extortion

Coverage for the costs to respond to a cyber extortion (ransomware) event, including forensics experts to investigate the attack, experienced negotiators, and sometimes ransom payments in virtual currencies.

Ransomware Payment Provision

Provision for how the policy responds to a ransomware claim; “Pay on behalf” indicates the carrier will tender payments due when a ransom event occurs; “Reimbursement” indicates the insured will pay out of pocket and then seek reimbursement for covered losses.

Digital Asset Damage

Coverage for costs to rebuild electronic data and other digital assets after a cyber event, like recovering offsite backups, etc.

Cyber Crime

Coverage for the theft of funds from a failure in your security, often by a hacker stealing login credentials; This is often referred to as fund transfer fraud and may be covered on a crime policy.

Social Engineering

Coverage for theft of funds via deception or impersonation where a criminal tricks you into parting with your funds, often linked to business email compromise.

Client Funds

Coverage extension to cover theft of client funds in the insured’s care, custody, or control.

Invoice Manipulation

Coverage for the release or distribution of a fraudulent invoice or fraudulent payment instruction to a third party as a result of a cyber-event.

Telephone Hacking

Coverage for costs associated with unauthorized and fraudulent telephone calls. Sometimes shows up as TCPA Defense Coverage (Telephone Consumer Protection Act).

Crypto Jacking

Coverage for costs associated with unauthorized use of the insured’s computer processing power to mine cryptocurrency.

Reputational Harm

Coverage for lost income from an adverse media event due to a cyber event that damages the insured’s reputation.

Breach Response (Outside the Limit)

Coverage for 1st party breach costs outside of and in addition to the policy aggregate limit.

Bricking

Coverage for physical damage to IT hardware resulting from a cyber event that renders the equipment useless and unable to be safely repaired.

Bodily Injury

Coverage for bodily injury which results from a cyber-event.

Property Damage

Coverage for property damage that results from a cyber-event.

BYOD

Coverage for any device used by the company’s employees in the course of normal business operations, no matter who the device belongs to.

Third Party Coverages  

Cyber / Privacy Liability

Defense and indemnity for claims against you related to cyber events or data breaches.

Media Liability

Defense and Indemnity for claims of libel, slander, copyright infringement, trademark infringement, invasion of privacy, etc. 

Regulatory Defense & Fines

Defense and indemnity coverage for claims brought by federal, state, local or foreign governing body related to privacy regulations, data breaches, cyber events, and fines and penalties where insurable by law.

PCI Fines & Assessments

Coverage for assessments, fines or penalties imposed by banks or credit card companies due to non-compliance with the Payment Card Industry Data Security Standard (PCI DSS).

Defense (Outside the Limits)

Additional defense coverage outside of the limits of liability. 

Bodily Injury

Defense and indemnity coverage for bodily injury that results from a cyber-event.

Property Damage

Defense and indemnity coverage for property damage that results from a cyber-event.

Additional Services  

Cyber Risk Report

An assessment of the company’s business cyber security often provides a score and actionable security recommendations. Carriers that can provide this usually only need the company’s URL to do an outside-in scan and provide this for all quotes 

Proactive System Monitoring

Ongoing and regular scanning to monitor for security vulnerabilities. If an issues are flagged, the carrier will proactively notify the insured and offer assistance to mitigate; Only provided to policyholders

Pre-claim Assistance

Access to software and services, including cyber risk applications, breach response plans, data breach calculators, and other risk management tools to manage cyber risk

Expert Cybersecurity Advice

Open access to Cybersecurity experts to ask questions about the company’s security; usually, access is provided via phone or email

Data Breach Regulations

Every state will have a different set of rules for notifying individuals and regulators about what information is covered and what penalties can be placed.