What is Cyber Insurance?

Today, no one is 100 percent secure — believing otherwise is hubris of Icarian proportions.

This reality is a core reason why more organizations are turning to cyber insurance. Because without it in some form (whether it’s a purchased policy or their own allocated cash reserves), they have no safety net to stymie losses from a serious cyberattack.

CISOs need every risk mitigation technique they can get, and cyber insurance can an effective tool to mitigate and transfer cyber risk. But getting the right coverage, terms, and services is far easier said than done.

Learn To Navigate Today’s Cyber Insurance Market

Security leaders who take time to understand the ins and outs of the cyberinsurance market have a distinct advantage in everything from broker selection to policy negotiations.

This is why we launched our cyber insurance research: to guide our business and security clients through this $1.5 to $3 billion (and growing) market and to offer insight and best practices to better mitigate cyber risk.

Key Findings

What we found is a cyber insurance market that looks a lot different than even 2-3 years ago and keeps evolving quickly. Likely no surprise to security pros, many insurers’ cyber offerings are their fastest-growing product lines. Still, insurers and security buyers alike grapple with a list of pain points. Here are some of our key findings:

The cyberinsurance market is maturing, but growing pains persist. We see positive signs that the market is growing up: more transparent policies, fewer contentious claim holdups, and insurers with a better understanding of cyber risk. Still, it’s far from painless. Security leaders face countless hurdles, including pedantic legalese, pricing hikes, IP and reputation coverage gaps, and disconnected purchase decisions due to internal discord.

Buyers navigate a labyrinth of intertwining providers and partners. Our report maps out the intricate web of cyber insurance underwriters, brokers, reinsurers, consultancies, data analytics and cyber risk scoring providers, and carefully constructed carrier panels of post-breach services, such as incident response and legal counsel. And for large enterprises, there are self-insurance and captive options that may offer capitalization or tax advantages.

The devil is in the details. For both cyber insurance veterans and newbies, it’s easy to make mistakes. Even a slight variance in your policy’s definition of “computer fraud” can be the difference in millions of dollars of coverage. We break down cyber insurance coverage gaps and limitations into four categories: 1) Sublimits and Deductibles; 2) Explicit Exclusions; 3) Implicit Restrictions; and 4) Services Constraints. You’ll want to read up on all of these before you start redlining your policy.

Choose your cyber insurance broker wisely. The most important cyber insurance relationship is between the CISO and broker. Whether it’s selecting a cyber insurance carrier, updating your policy, or handling major claims, you’ll turn to your broker first. During your broker selection process, make sure that their incentives prioritize your relationship — not their relationships with partners. Review the services they offer, their cybersecurity acumen, partner ecosystem, and the experience of existing customers.

–By Nick Hayes, Senior Analyst, and Heidi Shey, Senior Analyst


With corporate data breaches on the rise, many business owners are rethinking their security practices and strategies for risk management. Hacks, breaches and network outages present more than just technology issues—they come with financial repercussions, a potential loss of customers and a negative reputation in the marketplace.

These potential consequences are leading business owners to adopt more-holistic approaches to security involving both preventative measures and response plans. Preventative measures help secure network defenses and implement best security practices. Response plans involve cybersecurity insurance, a policy designed specifically to trigger when a security incident occurs.

Cybersecurity insurance is a relatively new type of coverage, which explains why it’s often misunderstood. This article makes sense of cybersecurity insurance so business owners can better understand what types of coverage are available and ensure their business’s recovery after a cyberattack.

1. What Is Cybersecurity Insurance?

Cybersecurity insurance—sometimes referred to as cyber liability or data-breach liability insurance—is a type of standalone coverage. It helps companies recover from data loss owing to a security breach or other cyber event, such as a network outage or service interruption. Cybersecurity policies are different from property or general liability policies because prices and exclusions for cybersecurity insurance vary widely between insurers.

Although this situation may make choosing a policy more complicated, it shouldn’t deter business owners. Cybersecurity insurance is important to building a comprehensive strategy for risk management and response.

2. Should I Purchase Cybersecurity Insurance?

No business is immune to network outages and data breaches; in fact, studies show that small businesses are victims of 71% of cyberattacks. The impacts are often devastating, ranging from lost business opportunities to customer revolt, and from a damaged reputation to stolen data and funds. Repercussions can even extend to loss of employment, as Target’s former CEO discovered.

Considering these potential repercussions, cybersecurity insurance may be a wise investment for your company. It mitigates many of the costs associated with investigating and resolving a security incident, and it helps a business return to normal operations quickly.

3. What Types of Coverage Are Available?

Cybersecurity insurance comes in two types: first party and third party. Most insurers offer policies that combine features of both, but not always. Many carriers also write provisions and exclusions into first- or third-party policies, so businesses should carefully read their cybersecurity policy to understand what is covered in the event of a security breach.

A cybersecurity plan that focuses on first-party coverage is what most businesses will need. It protects against losses suffered by the insured and can include reparations for some of the following incidents:

  • Damaged or lost digital assets, such as data and software
  • Lost business opportunities or increased operational costs due to an interruption of the insured’s computer systems
  • Cyber extortion if the hacker holds the insured’s data for ransom
  • Money stolen through an electronic crime
  • Third-party coverage is generally geared toward the third-party companies who manage the software, network or system that holds the compromised data. Third-party plans typically cover costs associated with the following events:
  • Security breaches of employee confidentiality
  • Lost customer data and information
  • Customer notification after a security breach
  • Public-relations efforts as well as combatting defamation and intellectual-property violations.

4. What Doesn’t Cybersecurity Insurance Cover?

Cybersecurity policies are relatively new and still growing, but many don’t cover theft of intellectual property and have a difficult time protecting against damaged reputations and lower sales. These shortcomings may change, but cybersecurity insurance is so new that underwriters remain unable to easily and accurately assess risk. As a result, they exclude items—such as product designs, software code and reputation loss—that are hard to quantify.

5. What Kind of Cybersecurity Insurance Do I Need?

The best way to determine what kind of cybersecurity insurance your business needs is to perform a risk assessment and impact analysis. Businesses should carefully review their assets—including financial and customer data—as well as intellectual property, and categorize them as high or low risk. They should also recognize their main points of vulnerability during this process. The recent attack on Swift, which was once considered a highly secure financial messaging system, showed how hackers can exploit vulnerabilities in a system to steal a company’s physical assets.

Finally, business owners should visit with legal counsel and other department heads. Doing so will provide more insight into the implications of a data breach and pinpoint which assets are critical to safeguard when developing a risk-management strategy.

6. Should I Work with a Cybersecurity-Insurance Broker?

Businesses should work with a cybersecurity-insurance broker who has proven experience and expertise in selecting a cyber policy. This individual will be able to offer advice about different policies, prices and exclusions, allowing businesses to choose the coverage that best fits their needs.

7. Who Sells Cyber Insurance?

The perceived risk exposure of cybersecurity insurance is high, so it is currently available only through major carriers like AIG, Apogee Insurance Group, Chubb and Zurich. These companies have both the means and willingness to cover filed claims. The options will likely grow, however: as cyber threats increase, so does public demand for standalone coverage.

8. How Do Insurers Price Cybersecurity Policies?

Insurers price cybersecurity coverage using the same method that they employ for traditional insurance packages. Underwriters analyze the insured’s risk and author policies accordingly. But pricing cyber insurance can be more challenging. Underwriters have little data available, making it difficult to accurately assess risk. As more objective data becomes available, this situation will likely change.

9. Why Is Cybersecurity Insurance Expensive?

Premiums are based on risk, and data breaches present a high risk because they can necessitate large payouts. As a result, cybersecurity-insurance premiums have been trending sharply upward in the past few years. Because these policies are customized to fit each company’s needs, they take more time to create and are therefore more costly. Without quantitative actuarial data, underwriters use qualitative assessments of a business’ risk-management procedures and risk culture.

The nature of the business and type of data it stores come into play as well, which is why financial and health-care institutions typically face steeper premiums. The size and scope of an organization, its number of customers, and how it collects and stores data all affect coverage needs and pricing.

10. Are There Ways to Reduce Premium Costs?

Although cybersecurity insurance doesn’t follow the new usage-based model of auto insurance, there are still ways to reduce premiums. One is by implementing best security policies and practices for your business. The Department of Homeland Security urges businesses to adopt preventative cybersecurity measures and encourages insurance companies to base premiums on the insured’s level of self-protection.

Hacks and breaches are on the rise, but businesses can make two types of offensive moves. First, they can adopt best security practices. Second, they can develop a robust recovery plan that prominently features cybersecurity insurance. These two tactics will not only help guard against cyberattacks, but they will also help get businesses back on their feet quickly if their data is compromised.



CHRISTOPHER HYNES, JD, CFPAttorney and Certified Financial Planner
As one of approximately 1,800 attorneys who are also Certified Financial Planners™, Chris Hynes’ education, training and experience furnish him with a unique perspective on complex financial structures, issues and products.
Robert Russell
Robert RussellCertified Advisor: Medical Malpractice Insurance
With over 25+ years of helping the medical profession identify, manage and control its medical malpractice insurance costs, Rob Russell is an accomplished medical malpractice professional who earned his Registered Professional Liability designation and a respected member of PLUS.
Robin Trenchard
Robin TrenchardMember at HealthCare Risk Advisors
Thirty plus years in operational and administrative management. The first fifteen years was administrative management within law practices. The past fifteen years have been as an executive in operational and administrative management positions for health care professional liability focused insurance related companies.

Featured Partners in Cyber Insurance

Connect with Your Member Concierge Today!

As a member of FutureMed LA, you have exclusive access to a dedicated Member Concierge, who is available to assist at any time with the following:

  • Register for the Convention
  • Discuss your immediate practice needs and match you with the appropriate Vendor Partner
  • Ensure you receive the best in service and pricing, exclusive to FutureMed LA
  • Personally schedule you with any of our Vendor Partners, and stay involved to make sure you have the best experience possible!

Use the form on the right to schedule with your Member Concierge today!