Several years ago, a series of massive and highly publicized retail data breaches took the issue of cyber security out of IT circles and inserted it into the mainstream news, cocktail party banter, and corporate board agendas. Those breaches also served to introduce the concept of cyber insurance to a much wider audience. Interest in and uptake of cyber insurance began to grow, largely driven by the breach response services (including incident response, forensic investigation, notification and credit monitoring costs) and class action lawsuit defense coverage available under those policies.

Although cyber policies still provide tremendously valuable coverage for breach events, they’ve come a long way since then. Recent iterations of cyber policies go far beyond data breach coverage and offer protection against a wide range of the most vexing cyber threats and privacy exposures affecting companies in every business sector.

Additional Coverages

Some of the key cyber exposures for which coverage may be available are:

Cyber Extortion

Coverage is generally available for ransomware payments, as well as for other types of cyber extortion, such as threats to publicly disclose protected information or to interrupt computer systems. Coverage typically includes response services, and insurers can assist with ransom negotiations. Some insurers also will assist with obtaining digital currency to pay ransom demands.

Social Engineering

Some insurers offer coverage under cyber policies that expressly applies to social engineering attacks — i.e., phishing, business email compromise — that result in the transfer of company funds to unintended third parties.

Coverage for Senior Executive Losses

At least one insurer provides coverage for identity theft and theft of funds from personal bank accounts of executive officers resulting from a third-party breach of the company’s network security.

Corporate Identity Theft

Coverage may be available for losses incurred as a result of fraudulent use of the company’s electronic identity, including the establishment of credit in the company’s name, electronic signing of the contract, and the creation of a website designed to impersonate the company.

Contingent Business Interruption

Some insurers offer coverage for loss of business income, forensic expenses, and extra expenses sustained as a result of the interruption of the insured’s business operations caused by an unintentional and unplanned interruption of computer systems operated by a third party business that provides necessary products or services to the insured pursuant to a written contract. This coverage can be especially valuable in today’s digital and interconnected economy.


Although cyber policies typically exclude coverage for damage to tangible property, some carriers have introduced endorsements that are triggered when a hacking event causes the “bricking” (loss of use or functionality) of the insured’s computer hardware or electronic equipment by maliciously reprograming the software installed on that hardware or equipment. Bricking coverage applies to the costs to repair or replace the affected hardware or equipment when it would cost more to reinstall software.


A particularly valuable new coverage is now offered by some insurers for improvements to the insured’s hardware or software following a security breach that exploited a weakness in the insured’s computer system. Coverage is available if it is determined that such improvements will reduce the risk of a future breach related to that weakness.

Consequential Reputational Harm

Some carriers are offering coverage for lost profits associated with the loss of current or future costumers because of reputational damage resulting from a covered cyber event. The lost profits must have been incurred during a “reputational harm period,” a designated window of time following discovery of the cyber event.

Loss Adjustment Costs

Calculating the costs associated with a system damage or business interruption insurance claim can be complicated business, particularly when costs must be allocated to an uninsured waiting period designated in the policy form. Some cyber carriers are providing coverage for the cost to retain professionals, such as forensic accountants, to assist the insured in the calculation of its financial loss.

Invoice Manipulation Loss

Many insurers are now offering coverage specifically designed for phishing attacks and other schemes to trick the insured company into transferring funds to a fraudster instead of to an entity to which the insured owes money. Now, at least one insurer provides coverage to companies that have been unable to collect payment for their goods and services as a result of an “invoice manipulation loss.” Invoice manipulation means the release or distribution of a fraudulent invoice or payment instruction resulting from a security or privacy breach. The policy covers the insured’s net cost to provide the goods or services, exclusive of profits.

Corporate Identity Theft

Coverage now is offered by some carriers for financial loss resulting from the fraudulent use of the insured’s electronic identity, including the establishment of credit in the insured’s name, electronic signing of contracts, and creation of a website designed to impersonate the insured.

Telephone Hacking

Companies may be able to obtain coverage for losses resulting from the hacking of their telephone system, including reimbursement of costs for unauthorized calls and use of the company’s bandwidth.

Management Liability

Coverage may be available for senior executive officers if they are sued in connection with a covered cyber event.

A Word of Caution

The coverages described above may not be available from all insurers, and not all insureds will qualify for all types of coverage. In addition, some coverages may be subject to sub-limits and important conditions, such as requiring the insurance company’s consent before incurring any expenses.

Concluding Thoughts

Cyber insurance isn’t just for companies with large amounts of credit card data. Coverage is constantly evolving to address emerging cyber risks from which no company is immune. Companies should carefully consider how a well designed cyber insurance policy can protect them from the expense and disruption of today’s pervasive cyber threats.

Click on the link below to download my free book

A Closer Look At Cyber Insurance
A Closer Look At Cyber Insurance