What does cyber insurance actually cover?

What does cyber insurance actually cover?

< Back

2023 October 29

As we kick off Cyber Smart Week in New Zealand, we thought it was timely to take a look at cyber insurance and what it actually covers.

We often get asked how cyber insurance helps if a business has a cyber breach and what it costs.

The theme of this year’s Cyber Smart Week is “Exposed” and we certainly all are – whether you are an individual, an SME, or a large corporate.

So, what does a cyber policy cover?

Cyber policies generally provide coverage for:

  • Cyber incident response – all costs associated with a crisis or breach and incident management.
  • Digital asset restoration – the cost to rebuild damaged systems and/or restore lost data.
  • Cyber extortion – the costs of negotiating a ransom and payment of ransoms, if allowed by law. Paying ransoms is not illegal in New Zealand and hence can be insured against.
  • Business interruption – the loss of profits and/or the increased cost of working suffered as a result of network downtime or other cyber incident. These losses are often excluded within a material damage or business interruption policy.
  • Dependent business interruption – business interruption losses suffered as a result of your IT service providers becoming a victim of a cyber-attack.
  • Privacy & security breach liability – third party legal liability for breach of privacy (e.g. due to the loss or theft of personal information).
  • Regulatory defence, awards and fines.

 It is important to note here that different insurers may offer variations of the coverage listed above or may cover each item to different extents. Some policies may not cover some of these items at all. Please ensure you read any policy wordings carefully to understand what you are being covered for.

How does a cyber policy respond?

Most traditional insurance policies operate on the promise to pay a claim once a loss has occurred, typically on a reimbursement or an indemnity basis.

One of the key differences and major benefits of a cyber policy is the immediate access it provides policyholders to crisis or breach/incident response managers. These include:

  • IT forensic specialists
  • IT security experts
  • Lawyers
  • Public relations managers
  • Accounting firms

It can also include other relevant professionals that may typically be involved in the investigation, mitigation, and management of a cyber-related incident.

The overall response is typically led by a legal firm that a cyber insurer has partnered with as part of their policy offering. These professionals will ‘coach’ policyholders (especially first-time victims of a breach) on what to do.

Most insurers will have a panel of two to three firms to choose from. A few insurers have brought these capabilities in-house, and these often will even provide preventative services by monitoring the cyber-security of, and attempted attacks on, their policyholders. All these costs are covered under a cyber policy.

What does it cost? 

The cost to purchase cyber insurance can vary greatly depending on the nature, size, and scale of an organisation, and of course, the breadth of coverage they wish to buy. Pricing is also dependent on several other factors, including, but not limited to:

  • The strength of an organisation’s cyber-security and systems.
  • Internal awareness training.
  • The robustness of an organisation’s internal IT policies, how well these are complied with, and how stringently compliance to policies is monitored.
  • How much data (especially sensitive data) an organisation stores.
  • How data is managed.

Another question we often get asked, particularly by SMEs, is do I actually need cyber insurance? Stayed tuned for our next article to answer that very question.

In the meantime, if you do have any questions, please reach out to our liability specialists on insurance@icib.co.nz or phone 09 377 4314.