What Does Cyber Insurance Not Cover In 2024?
What does cyber insurance not cover? Cyber risk is more prominent than ever, and ensuring cyber risk is getting more complicated day by day. For many years, we here in Cage Heaven have been discussing the fact that nearly every business, large and small in technology, healthcare manufacturing, and many more — is a cyber risk. Every day we are informed of another security breach.
For example, ransomware, phishing emails with embedding malware, or social engineering-related attacks, businesses are being targeted by cyberattacks all of the time. For many of the leaders of these businesses, an insurance policy for cyber security seems to have a lot of worth.
Many clients are asking us the question: what does cyber insurance not cover? Some companies are even unsure whether cyber risk is insurable.
The most prevalent cyber-related risk include privacy risk, security risk, operational risk, and service risk. Generally, Cyber insurance is intended to safeguard your company from these main threats through four distinct insurance agreements:
- Network security and privacy liability
- Network business interruption
- Media liability
- Errors and omission
Particularly, network security and privacy liability could comprise both third-party as well as first-party expenses. Let’s examine what does cyber insurance not cover, each top non-covered expense.
What Does Cyber Insurance Not Cover?
What is excluded from cyber insurance? The most significant non-covered costs that your business could be facing following the cyber attack could be:
Potential loss of future profits
The damage that comes with data breach impacts — such as data loss, public disclosure of sensitive information the theft or destruction of intellectual property, and damage to brand reputation may last for many years after an incident. The ongoing consequences often cause sales to be lost and market share reductions as well as difficulty in finding new employees and other issues that affect profitability. The likelihood is that a cyber insurance company won’t cover the losses unless you directly connect these with the data breach.
Loss of intellectual property value
For companies in the tech industry, manufacturers, and other companies IP is the utmost prize of your business. It is the foundation of your continued success and operations. The leaking of proprietary information such as designs for products and formulas could erode your position in the market, cost your market share, or make you unprofitable. Unfortunately, most cyber insurance policies do not provide coverage for financial losses that result from IP loss.
Costs to enhance your cybersecurity posture
A significant post-breach cost for many companies is the implementation of new technologies, controls, and policies that ensure that cybersecurity is at an enhanced level that protects the company and its customers. While these costs could greatly lower the risk of being a victim of cyber-related claims as well as the risk of cyberattacks in the future, however, they are typically not covered by cyber insurance.
If you gave money to an attacker on your own and freely, for instance by transferring money to their bank account the cyber insurance policy may not be able to cover the funds lost. This is true even if employees are swindled by a business email compromise (BEC) scam or another cyberattack that uses social engineering.
In certain cases, the insurance coverage for BEC-related losses may come from the specific terms of the policy. It is always a good idea to review the cyber coverage policies as well as exclusions thoroughly and seek legal advice in case you have any questions.
Some cyber insurance policies have acts of war or a nation-state attack clause that can deny coverage if the attack is declared to be an act of war or is claimed to have been carried out by the nation-state. A prime example would be advanced persistent threats (APTs) initiated by a rogue state-sponsored group to steal the designs of modern U.S. weapons — particularly when they are declared by the U.S. government as acts of war.
In November 2021, Lloyd’s of London released four new cyber war and cyber operation exclusion clauses that deny coverage for losses resulting from nation-state-sponsored cyber-attacks. This includes cyber-operations that take place in the course of war as well as retaliatory attacks.
Lloyd’s decision raises numerous concerns, particularly about the way that insurers, governments, and security experts determine what constitutes a state-sponsored attack. This could put the burden on governments to come up with a plan to protect critical infrastructure organizations in the aftermath of a catastrophic financial cyber attack.
An Ounce of Prevention
In order to obtain insurance it is necessary to meet strict security and resilience requirements for cybersecurity -and all of them must be met. As a result, a business’s cybersecurity strategy should include not only taking steps to stop the possibility of an attack or stop an attack if it does occur but also focusing on cybersecurity resilience that focuses on ensuring that operations don’t totally fall apart due to an attack. The ones who are able to go beyond these standards are usually in a position to reduce the risk of their business and also lower their premiums.
Cyber insurance is a vital protection against risk and a risk transfer strategy for companies that are of any size — not only those who deal with sensitive data.
Most cyber insurance policies pay out for financial losses caused by direct results caused by an accident, in addition to legal costs arising out of third-party claims.
Cyber insurance companies also provide numerous services that aid clients in restoring their operations, reducing the impact on their reputations, and increasing their security posture.
The negative consequences of a cyberattack are numerous and not many policies address the full range of potential harms.