Terms & Definitions
      Back to home
      1. Help Center
      2. FAQs
      3. Terms & Definitions

      Cyber Insurance / Data Breach Insurance 101

      This page is meant to serve as a 101 educational resource for Cyber insurance.

      What is Cyber Insurance?

      Cyber insurance in commercial insurance is a specialized form of policy designed to protect businesses against the financial losses resulting from cyber incidents. These incidents can include data breaches, cyber-attacks like ransomware or malware infections, and other forms of cybercrime that can disrupt business operations, cause loss of confidential or critical data, and result in financial and reputational damage to a company.

      Cyber insurance policies can cover a range of expenses and liabilities, including but not limited to:

      1. Incident Response and Investigation: Costs associated with investigating and responding to a cyber incident, such as hiring forensic experts to determine what happened, how to fix the issue, and how to prevent future incidents.
      2. Data Breach Notifications: Expenses related to notifying customers, employees, and other affected parties of a data breach, as required by law in many jurisdictions.
      3. Credit Monitoring Services: The costs of providing credit monitoring services to customers whose information may have been exposed in a breach.
      4. Legal Fees and Settlements: Legal expenses and potential settlements or judgments arising from lawsuits related to the breach or cyber-attack.
      5. Business Interruption: Compensation for lost income and related expenses when a cyber-attack disrupts business operations.
      6. Cyber Extortion: Payments to cybercriminals in cases of ransomware attacks where a ransom is demanded to unlock infected systems or return sensitive data.
      7. Regulatory Fines and Penalties: Coverage for fines or penalties that a business might face due to non-compliance with data protection regulations in the aftermath of a cyber incident.

      The scope and depth of coverage can vary significantly between policies and insurers, making it crucial for businesses to carefully assess their specific risks and coverage needs. As cyber threats evolve, so do cyber insurance products, with insurers continuously updating their offerings to address new types of cyber risks.


      Critical Elements / Breakdown of the application

      Industry Type / Class Code / Industry Code

      What the business does is a critical part of the Cyber insurance application. This is also referred to as Industry Type. It can be also referred to as the Class Code, Class or Industry code of the business.

      Eg: A software or healthcare company is more risky from a Cyber insurance perspective than a Barber Shop

      The industry of the business is the key piece of information required in determining the underwriting questions to be asked. This affects whether the carrier wants to insure a business or not and what is the premium amount.

      There are two standardized lists of industry codes: NAICS and SIC.

      Security Controls

      The cyber security controls put in place are a critical factor in determining the risk associated with a business. For example, a company that enforces MFA and secondary authentication for payments is less risky than a company that does not.

      Prior Losses / Loss Types

      In a Cyber insurance policy when providing information about past losses you also have to provide the loss type of the loss. Each carrier will have a specific list of loss types that they define. Some of the common ones are:

      1. Tech Errors and Omissions
      2. Cyber Incident
      3. Business Interruption
      4. Digital Data Loss
      5. Network Extortion
      6. Payment Card Loss
      7. Fund Transfer Fraud
      8. etc

      Rating Factors

      The core rating factors for a Cyber policy are:

      1. Industry Type
        1. Class Codes/Industry code
      2. Business Size
        1. Revenue
      3. Security Controls
      4. Past losses
        1. Loss Amount
        2. Loss Type
        3. Date of loss

      There are also other factors that go into making the decision to insure a business or not and how much premium to charge. But the above ones are the core factors.

      Liability Limits

      The liability limits of a Cyber policy are:

      1. Aggregate/Per Policy Limit - This is the total amount of money that will be paid out for all the claims in the policy term. If the business exceeds this amount they will not be covered by the insurance anymore in that policy term.
        1. Eg: ($1M) If there was an incident/claim in February and March each for $500K then after March the business will not get anymore money from the insurance company for any new incidents/claims.
      2. Retention Limit - Retention limits are an amount you agree to pay out of your own pocket to cover your claim.
        1. Eg: ($10K) If there was an incident/claim that that had a cost of $100K then the business will pay the first $10K before the insurance company’s coverage kicks in for the rest of the $90K

      The Aggregate and retention limits offered by a carrier are a preset list. Most common limits are 10K/1M.

      The Cyber liability limits offered (preset list) can change based on the Carrier and State. Some carriers might also change the limits offered based on the revenue of the business.

      Besides the standard limits mentioned above each carrier might have limits for various optional coverages included in the Cyber policy. Eg: Payment fraud limit, network extortion limit etc