Choosing Limits and Terms on Your Cyber Insurance Application

Setting your cyber liability insurance limits can be tricky if you don’t have a clear idea of what you need. Evaluating your risk exposures and prioritizing your options before you apply can help you get the most out of your coverage.

In this article, we’ll unpack insurance application lingo and explain, in plain language, how these terms affect your policy.

Cyber insurance lingo to know

Claims-made

Most standard cyber liability policies are written on a “claims-made” basis.

Claims-made means the cyber policy will apply only to claims made during the policy period. In other words, you must file claims within your policy’s active dates. Alternately, for an added cost, you can purchase an extended reporting period (ERP) to stretch your policy’s claim dates beyond the usual one-year period.

For example, suppose a hacker infects your server with a virus that goes undetected until after your policy lapses. In that case, you wouldn’t have coverage even though the event occurred while your policy was active. An ERP would help cover that gap.

Defense within limits

Standard cyber liability policies also usually contain a “defense within limits” clause. Defense within limits means legal retainers and defense costs reduce your overall cyber liability limits. They come from the same coffers that pay legislative fines, settlements, monitoring and data restoration expenses. Your insurance company will stop paying once you hit your policy’s limits, even if you’re in the middle of a legal defense and settlements are still up in the air.

When choosing your limits, think about your ability to self-fund if a cyber claim exhausts your limits. Ask your agent about separating limits on certain liabilities like legal fees or restoration.

Insurance terms

Cyber liability insurance policies vary widely. You can choose the coverage options you want, aka insurance terms. (More on this below.)

Retention limits

You can also select limits, known as “retention limits,” that go with each of your individual cyber coverage choices.

Retention limits are an amount you agree to pay out of your own pocket to cover your claim. Decide on retention limits that you can safely handle.

While retention limits sound like deductibles, it’s important to understand that they’re not exactly the same. With a deductible, you’d pay the agreed amount and the insurance company would take care of everything else with the claim. Retentions, on the other hand, may require you to play a role in your claim in addition to payment, like defending against the loss.

Ask your agent to explain how the insurance company handles its retention limits. Clarify the retention limits again, before you sign the policy. Make sure you understand which retention limit is used when there are multiple triggers on your policy from a single cyber event. Typically, you’d only pay one retention limit, the highest one of the applicable coverages.

Customizing your cyber liability insurance terms

Most insurance companies offer customizable cyber insurance policies. You can choose the coverage options that suit your risk levels and business needs. You might adjust your retention limits in specific areas or omit specialized coverage based on your industry and operational risk.

Cyber insurance terms typically include the following:

Cyber insurance termWhat it covers
Privacy and securityThis covers data breaches affecting exposed personally identifiable information. Suppose a hacker compromised your customers’ data (emails, medical or financial information). This coverage would help defray the costs, including credit monitoring services and legal defense fees.
MediaThis protects against liability issues resulting from a cyberattack on your media sites. For example, if a threat actor cracks your company’s website and social media accounts and publishes offensive materials, media liability would help with the resulting lawsuits.
Regulatory proceedingsThis coverage responds if a data breach triggers an investigation by a regulatory body like the Federal Trade Commission or European Data Protection Board. It covers fines, penalties and other legal defense costs.
Computer and legal expertsThis covers fees for IT professionals and lawyers to investigate the data breach, determine its impact and plan a response.
BettermentsThis supports improvements made during the repair of damaged systems or data to ensure they are more secure than they were at the time of the breach. If a system failure requires new, more advanced security upgrades to prevent future attacks, betterments coverage can offset the cost. Without betterments coverage, you’ll pay out of your own pocket to improve your systems, including security upgrades.
Cyber extortion or ransomIf hackers try to hold your data or systems hostage until you pay them, this helps cover the cost.
Data restorationThis covers the cost of recovering and restoring data damaged or lost during a cyberattack.
Public relationsAfter a cyberattack or data breach, you may need PR help to restore your company’s reputation. Suppose your company was hit by a severe data breach, leading to an outcry on social media. This would cover the cost of a PR campaign to restore your image.
Computer fraudComputer fraud coverage helps if a cybercriminal diverts funds from your business or cons your company out of assets.
Fund transfer fraudThis coverage protects your business if someone illegally transfers funds from your accounts. If a threat actor broke into your accounts to illegally transfer funds, this would cover the lost funds.
Social engineering fraudThis covers scams that manipulate employees into transferring money or revealing sensitive information. Imagine your employee transferred cash based on a social engineering email that appeared to be from a trusted vendor. This coverage would reimburse the loss.
Telecom fraudTelecom fraud coverage would pay if a fraudster clocked up huge long-distance charges on your phone line.
Business interruptionThis helps if a cyber breach interrupts your business operations. Suppose a cyberattack shut down your online store, leading to a loss of sales. Business interruption would help recoup that lost income.
Dependent business interruptionThis coverage helps when a cyberattack on a partner or vendor affects your business. If a cloud storage provider you rely on had an outage, causing your operations to halt, you’d lose income. This coverage would help offset your loss during the provider’s downtime.
Reputational harmIf a cyber incident damages your business’s reputation, causing loss of clients or income, this covers your losses.

Artificial intelligence and your risk exposure

Launching an artificial intelligence (AI) technology requires extensive planning. From a cyber insurance perspective, AI is like any other technology that needs to be protected. If you’ve already integrated AI into your business, assess its impact on your operations. If you’re still shopping around, remember your liability as you narrow your AI options.

Cloud services might put some onus on outside vendors (for any technology, not just AI), but that doesn’t absolve you from liability. Outsourced technology can still affect your bottom line and create a liability risk, depending on your business setup.

Start by evaluating the purpose of your AI and how you’ve configured it. Does it rely on an external service, or can it remain functional using internal servers within your control?

The types of safeguards, human oversight and autonomy you’ve allowed for your AI also affect your liability exposure. Are you allowing AI to make decisions on its own? If your AI malfunctions due to an internal or external cyberattack, you’ll need a plan to take it out of service.

Here are some coverages to consider if you’re using AI-aided systems:

  • Privacy and security: Chatbots might need extra privacy and security coverage. They handle large amounts of sensitive customer data.
  • Data restoration: AI systems learn and improve from data collected over time. Since the accumulated data is critical for AI tools’ effective operation, this coverage is beneficial.
  • Cyber extortion or ransom: AI could become a target for hackers who encrypt data until their ransom is paid.
  • Computer and legal experts: You might need complex technical and legal expertise to fix the issues and navigate legal consequences after a cyberattack on your AI.
  • Business interruption: An AI compromise might lead to revenue loss if your AI technology is integral to your business operations, like a call center or automated service desk.
  • Dependent business interruption: This coverage could help compensate for lost business income if your AI’s service provider goes offline after an attack.

Review your tech and talk to your insurance agent

When completing your cyber insurance application or renewal, review your technology protocols.

If it’s a renewal, don’t just re-up your application. Tell your insurance agent if you’ve added AI, improved your employee cyber awareness training or elevated your cybersecurity standards. You might qualify for discounts or improved coverage options.

If it’s a new application, inventory your tech, gather your written cyber policies and choose your coverage options. We can help match you with the best insurance company for your needs.