In the past few years, the frequency and severity of cyber attacks have increased significantly.
According to our most recent Cyber Risk Index report, 82% of startup founders have experienced a cyberattack. Up from 63% two years previous.
Cyber insurance has essentially become a necessity for businesses of all sizes and industries. Cyber insurance is one of the best ways to protect against the ever-growing list of cyber threats, cyber policies are not a one-size-fits-all solution for risk mitigation, and it is crucial to understand the limits of your coverage. In fact, many organizations discover gaps in their coverage only after experiencing an incident.
In this guide, we will explore what cyber insurance doesn’t cover, breaking down some of the key exclusions in typical cyber insurance policies that every business leader should know about.
1. Known breaches
When it comes to cyber insurance, providers won’t typically cover incidents arising from known breaches that existed before the policy’s start date. This means that if your company experienced (and discovered) a cyber attack before the start date of your policy, your insurance provider likely will not provide coverage for the incident.
In most cases, cyber insurance will cover claims for pre-existing vulnerabilities, but you may see an increase in your premium as a result.
For example, if your organization discovers a data breach six months before purchasing cyber insurance, your policy won’t cover the associated costs and damages. If the breach is discovered during the policy period, most providers will still provide coverage as you did not have prior knowledge of the attack.
While cyber insurance typically covers direct cyber attacks, many policies exclude or limit coverage for social engineering attacks. Some carriers, to help prevent claims, include a callback provision in their policy that may end up causing a social engineering claim to be denied or excluded if not adhered to.
A callback provision is an additional safeguard that your cyber insurance policy may require to reduce the risk of fraud-related claims. This provision requires policyholders to have specific authentication procedures in place when transferring funds. For example, if a cyber insurance policy has a callback provision in place, the insurer may only provide coverage for a social engineering claim if the insured has followed the necessary procedures. This generally involves confirming the transfer of funds by calling the sender through a pre-verified phone number.
This means that while social engineering attacks are included in most cyber liability policies, they may come with specific limitations. If your cyber insurance policy has a callback provision for social engineering claims and the callback is not made correctly, then the insurer will likely not cover your claim.
Social engineering attacks can be highly damaging to your organization, both financially and reputationally. So, meeting your policy’s coverage requirements for these types of coverage is important.
Here are some types of social engineering attacks that often come with limitations and additional provisions:
- Business email compromise (BEC) scams
- Voluntary transfers of funds, even if induced by deception
- Phishing attacks resulting in voluntary disclosure of information
Funds transfer fraud
Another type of cybercrime that is also often included in callback provisions for cyber insurance is funds transfer fraud. Funds transfer fraud occurs when a cybercriminal deceives an organization into transferring funds to a fraudulent account, often using tactics like impersonation or spoofed communications. Like social engineering attacks, many insurance policies will require policyholders to maintain specific security protocols and pre-transfer authentication. For example, to verify a transaction, an employee may need to call the requester through a pre-verified phone number.
3. Reputational damage
Besides the obvious financial impacts, one of the most threatening risks of a cyber attack is reputational damage. The good news? Most cyber insurance policies cover reputational damage. That said, what cyber insurance doesn’t cover, generally, is reputational harm following a cyber attack, and there may be specific limits on coverage. Your cyber policy will typically assist with the costs of notifying affected parties during a data breach and may even provide access to a PR firm to minimize the damage.
Loss of intellectual property
While insurers will cover (with limitations) reputational damage due to the fallout of a cyber attack. There will typically be further restrictions when it comes to the loss of intellectual property. Unfortunately, what cyber insurance doesn’t cover, generally, is the theft of proprietary information, trade secrets, patent or trademark information, and other intellectual property.
This exclusion exists because it is difficult to determine the quantifiable cost of intellectual property. For example, if a company’s confidential research is stolen in a data breach, the insurer may cover the immediate costs of investigating and responding to the breach but not the long-term financial loss caused by theft, such as loss of clientele, tarnished reputations, etc.
4. Physical damage to hardware
Often, when an electronic device is compromised during a cyber attack, its software is heavily damaged or even completely destroyed. Certain types of malware attacks can go beyond simply stealing information and can completely corrupt the device’s system, which may essentially render the device useless. While most cyber insurance policies provide some coverage for physical damage to hardware, the amount of coverage is typically limited.
Most standard cyber insurance policies typically exclude:
- Property damage resulting from cyber incidents
- Infrastructure failures caused by cyber events
- Power surges or electrical damage from cyber attacks
For comprehensive protection against physical damage resulting from cyber events, organizations should combine cyber insurance with commercial property insurance or seek specific endorsements.
That said, when it comes to damage to your physical hardware and electric devices, you can usually expect some coverage. Many policies cover “bricking”, in which an electronic device such as a computer, smartphone, or tablet is destroyed by a cyber attack. Bricking can be a major issue as it will cause system downtime, not to mention the high cost of replacing damaged hardware. Cyber insurance policies will generally cover some of the costs for certain bricking incidents, but there will be limitations.
For example, an insurer may cover the actual cost of the replacement equipment but may not cover the cost of hiring someone to install the new equipment.
5. State-sponsored attacks and acts of war
In the last few years, cyber attacks have become extremely prevalent in warfare. State-sponsored cyber attacks and cyber terrorism are an increasing concern of many companies and government agencies around the world as geopolitical tensions rise. Businesses in the healthcare, energy, finance, and education industries are particularly at risk of being victims of state-sponsored cyber attacks.
Unfortunately, these types of cyber attacks are one of the most common exclusions in cyber insurance policies. Acts of declared or undeclared war are often excluded from insurance policies. This isn’t to say that state-sponsored cyber attacks are always excluded from cyber insurance coverage, as each provider will have differing limitations.
Many cyber insurance policies do not cover:
- State-sponsored cyber attacks
- Attacks during declared or undeclared war
- Cyber attacks that are directly linked to insurrections, revolutions, or other hostilities
- Political or ideologically motivated cyber incidents
- Infrastructure attacks by nation-state actors
It is important to note that some types of cyber terrorism may be covered by a cyber liability insurance policy. This includes coverage for the following:
- Intentional use of disruptive activities
- An explicit attack on a computer system by a social, ideological, religious, political, or similarly motivated individual or group of individuals.
The challenge of attributing cyber attacks to specific actors makes these exclusions particularly complex and often contentious during claims.
One important exception to this “rule” is state-sponsored acts. While most insurers restrict coverage for acts of war, many do provide a carveback for cyber terrorism.
It’s important to understand the difference between cyber terrorism and cyber war in an insurance context.
Cyber terrorism (covered) involves an attack from a group on a nation-state that negatively affects the revenue of a business.
Cyber war (generally not covered) involves an attack from another nation-state that is recognized by the United States as such.
For example, if a hacker is hired by a national government to intentionally steal data from your company, an insurer will likely refuse coverage as this is a state-sponsored incident. On the other hand, if a terrorist organization is behind an attack and has the primary objective of causing fear, and your policy includes a cyber terrorism carveback, your insurer will likely cover the damages.
6. Illegal activity and fraud
Most insurers will not provide coverage if the policyholder knowingly commits an illegal or fraudulent act that directly results in a cyber attack or data breach.
For example, if an organization uses, conducts business in violation of regulatory compliance, or intentionally breaks cybersecurity laws, any resulting claims are almost always denied.
This exclusion is meant to hold businesses accountable and maintain ethical standards. While many policies explicitly exclude coverage for intentional illegal acts, insurers may exclude some unintentional acts as well and require the insured to prove that they were not negligent and practiced due diligence.
Understanding policy limitations and taking action
- Carefully review policy terms: Thoroughly understand your policy’s exclusions and limitations before signing.
- Understand your reporting provisions: Each insurer has slightly different requirements for reporting cyber claims. It is important to have a clear understanding of what is expected from you in terms of reporting incidents and making claims, as doing so incorrectly can result in denied coverage.
- Consider additional coverage: Cyber liability insurance provides comprehensive cover for cyber attacks and data breaches, but it won’t cover other common claims. For example, if an attack results in property damage or personal injury, you may consider investing in general liability insurance or commercial property coverage. You should always evaluate whether additional insurance coverage or endorsements are needed to cover all of your business’s risks.
- Implement comprehensive security: Prevention is the best way to minimize your risk of facing a cyber threat. Implement strong security measures, train your staff to recognize cyber threats, and continuously update your software to protect your business.
- Document security practices: Keeping detailed records of security measures and incident response procedures is not only a good way to prevent and monitor threats, but it may also help lower your cyber insurance premiums. This is because an organized cyber incident response plan significantly lowers the potential damage from a cyber attack and proves your readiness to face a threat.
- Regular risk assessment: It is important to have a clear understanding of what cyber threats are covered under your policy and what’s not covered. Conducting regular risk assessments can help identify gaps in your coverage and ensure your business is adequately protected against high-impact and emerging cyber threats.
Protecting your business from what cyber insurance doesn’t cover
While cyber insurance is an essential tool for managing digital risks, what cyber insurance doesn’t cover might be just as important. Understanding what your policy doesn’t cover is crucial for developing a comprehensive risk management strategy. Organizations should work closely with insurance providers and cybersecurity experts to ensure they have appropriate coverage and security measures in place.
Remember, cyber insurance is just one component of a broader risk management strategy. By understanding its limitations, organizations can better prepare for and protect against the full spectrum of cyber risks they face.
Looking for top-notch cyber insurance coverage? Embroker offers tailored cyber liability insurance plans for various high-risk industries.
