Things to Consider When Buying Cyber Insurance

Data Breach becomes very rampant within the past few years. Given their unpredictable nature, data breaches are hard to deal with. Thus, an overall risk management strategy is becoming increasingly important.

As more and more companies have experienced data breaches, the market for insurance has grown exponentially. Investing in a cyber insurance policy is an important step for organizations looking to expand their cybersecurity practices and reduce their potential liability. Before you choose a policy, make sure you consider the following;

Identify Your Risks

The first step in buying cyber insurance is to understand the nature and the extent of the risks facing your company. For some businesses, like banks and retailers, the primary concern is the theft of personal financial information. On the other hand, the major risk to a utility or energy company is the disruption of critical businesses or physical operations through attacks on networks. Businesses should tailor their coverage to the risks that they face.

Buy What You Need

With the variety of coverages offered by insurers in the market today, it is important to focus on the basics. You should consider whether your business needs all the coverages being offered and decline to purchase those that you do not need. Likewise, if an insurer is not willing to remove an objectionable exclusion or limitation from its policy, ask your broker to obtain a quote from a carrier who will offer the coverage without the limitation.

Limits and Sublimits

One of the most important aspects of of building the perfect cyber insurance policy relates to choosing your policy’s limits and sublimits.  The cost of a cyber attack can be millions of dollars. As such, policyholders will want to first ensure that their overall limits are in line with their level of risk. To do this, compare the anticipated costs associated with a data breach to the limits of liability available. Your insurance broker should be able to assist you in determining appropriate limits by utilizing industry benchmarking data and projected breach costs.

Understand Your Existing Coverage 

Your company’s standard first- and third-party policies may provide some protection from cyber risks, and it is important to understand what coverage, if any, may be available under your existing policies. For example, standard financial institution bonds provide coverage for third-party claims arising from a fraudulent computer instruction to transfer customer funds. Understanding your existing coverage will enable you to purchase the type of cyber insurance that your company needs.


Often, coverage for a loss or claim depends on the language in policy exclusion as opposed to the language in the grant of coverage. Because cyber insurance is a new product, the policy language is not standardized. Policies may contain exclusions that have been cut and pasted from other insurance forms, and the exclusion simply may not belong. When this happens, negotiate with the insurer, or seek other quotes.

Get Retroactive Coverage

Cyber policies sometimes restrict coverage to breaches or losses that occur after a specific date. In some forms, this is the inception date of the policy. This means that there would be no coverage for breaches that occurred before the inception of the policy. Because breaches may go undetected for some period of time, it is important to purchase coverage with the earliest possible retroactive date.

Consider Coverage for Acts and Omissions by Third Parties

Many companies outsource data processing or storage to a third-party vendor. It is important that your cyber insurance policy provide coverage for claims that arise from misconduct by one of your vendors.

Evaluate Coverage for Data Restoration Costs

Many cyber insurance policies do not provide coverage for the costs to replace, upgrade or maintain a computer system that was breached. Data restoration costs are potentially prohibitive. Any company that faces the risk of a data breach should take steps to ensure that its policies provide coverage for the costs of putting the company back in the position it was in before the breach.

Understand The “Triggers”

It is important to understand what activates coverage under your cyber policy. Some policies are triggered on the date the loss occurs, while others are triggered on the date that a claim is made against the insured. In order to provide proper notice, you need to understand how coverage applies under each policy you purchase.

Consider Coverage for Loss of Information on Unencrypted Devices

Many professionals today work on computers and tablets outside the office. Although many firms encrypt company-owned laptops, personally owned computers and storage devices are not. It is important for firms facing a loss of data through personal computers to buy insurance that provides coverage for such losses.

Consider Coverage for Regulatory Actions

A data loss may cause not only the loss of information but also could result in regulatory actions against your company. State and federal agencies have become more active in responding to data and privacy breaches. You should consider whether your company’s insurance policy provides coverage for a regulatory investigation or a regulatory action arising from a cyber incident.

Cyber insurance is a relatively new form of coverage—one that will continue to evolve alongside emerging cyber threats. As such, cyber insurance requires organizations to be proactive in assessing their risks and ensuring that their insurance coverages are in line with their specific business practices and exposures. Make sure you ask lots of questions and take the time to discuss with your carrier.

For more information, you may contact or email ONYX Insurance Brokers now!

Skip to content