Cyber insurance is intended as a safety net to protect businesses against losses resulting from hackers or other cyber crime. The idea of this type of policy is still fairly new, so standard coverage is still evolving. However, there are some things that most policies don’t cover.
While most cyber policies will insure operation losses, such as payroll, in the event of a business interruption event, many cyber policies don’t cover lost profits. Additionally, cyber insurance coverage often includes a waiting period for business interruption, where losses are only covered after a designated time period ranging from 1-12 hours.
Bodily Injury and Property Damage
These days, cyber attacks are not relegated to an online situation. As the internet increasingly connects to objects that can cause bodily injury or physical damage, the opportunity for tangible consequences rises significantly. For example, a cyber attack on a manufacturing firm could disrupt a part of the supply chain process resulting in spoiling goods that could cause illness or manufacturing defects that could result in injury. Consider an attack on a hospital where computers can run everything from the elevators to the life support systems, and the possibilities are frightening. Most cyber policies will not cover those types of damages, causing a company to rely on their other business policies.
Hardware and Software
Cyber insurance generally does not cover property damage, which includes computer and other technology equipment that is often damaged as part of the cyber attack. This can be problematic if the hardware has become so corrupt that it’s unfixable or more cost efficient to purchase something new. Additionally, most cyber policies will not cover new software versions; instead they only restore a business’s software to the version it had before the attack, leaving the company on the hook to cover depreciation costs.
Depending on the individual policy’s exclusions, the basics of cyber liability insurance generally do not extend to cyber crime that originated due to a lost company laptop or portable device. Sometimes if the device is encrypted, this exclusion does not apply, so it’s important to ensure proper security is enacted on all devices.
If a business utilizes a third party for customer service management, cloud services, email, web hosting, or other significant online business relationship, a cyber attack on that third party could cause a cascade of damage to the primary business. Cyber insurance often does not extend to third-party providers.
Business Reputation Damage
While it may be difficult to quantify the damage to a company’s reputation as a result of a cyber attack, the problem is significant. Most policies won’t cover reputation damage or the costs of repairing that damage.
While the threat of cyber attacks continues to grow in severity, cyber insurance is continuing to evolve as well. Companies must be aware of what their coverage includes as well as what it excludes to properly plan for the worst case scenario.