Risky business: Cyber insurance — What’s covered? Experts explain

New Jersey is a land of opportunity for cybercriminals.

So said Frank Costa, principal and chief growth officer of insurance brokerage firm World Insurance Associates, which has more than 20 offices in New Jersey. While all companies are susceptible to cyberrisks, he said, “New Jersey firms represent a large segment of high-focus cyberattack targets: technology, health care, manufacturing and distributors.”

Another New Jersey industry, hospitality, got hit with a cyberattack in September, as reported by Reuters, which noted that hackers brought down multiple systems of MGM (owner of gaming resort Borgata in Atlantic City).

Yet, even with high-profile cyberattacks occurring regularly, there’s a gap in insurance protection against cyberrisk, noted Patrick Wraight, director of the Insurance Journal Academy of Insurance: “Most commercial property and commercial general liability policies will exclude losses related to cyberrisks,” so businesses should consider a cyber insurance policy. Prominent among those risks, he said, is “the security of their processes and data.”

Costa pointed out a laundry list of cyberrisks facing firms: data breaches (unauthorized access to sensitive information); ransomware attacks; phishing and social engineering (manipulating employees into “willful parting” of information); insider threats; malware, denial of service and supply chain attacks; Internet of Things devices being compromised; mobile device vulnerabilities; and fraud targeting financial transactions and payment systems.

Hayden Kopser, co-founder and president of insurance brokerage firm North Improvement LLC, based in Westfield, asserted that ransomware/cyberextortion and social engineering are “cybercrime segments that can lead to direct financial loss and the potential for business interruption.”

Hayden Kopser.

The rise in remote work has worsened these threats.

“Given the extensive variety of ransomware/cyberextortion scenarios and the ever-expanding social engineering attack methods, these two areas will continue to be a problem for businesses that operate online in any capacity,” Kopser added.

Cyber insurance policies help protect against cyberrisks. Coverages include data compromise response expenses, computer attack and cyberextortion, data compromise liability, network security liability, electronic media liability and identity recovery, noted Gary Sullivan, senior director, emerging risks, for American Property Casualty Insurance Association, an insurance company trade group.

Insurance isn’t enough, though, said Wraight: “People need education, training, experience and vigilance. And that takes effort.”

Cyber liability insurance can include technology errors and omissions coverage (for tech firms), media liability (for marketing companies and risks) or crime coverage (for a range of firms). Traditional cyber policies include first-party coverage (which insures the company) and third-party coverage (which covers others) issued at $1 million limits and higher, Costa notes.

Gary Sullivan.

Some carriers offer supplemental cyber coverage on property/liability package policies or businessowners policies, but these typically include limited coverage and lower limits than reasonably required, Costa pointed out: “All businesses are advised to evaluate a standalone cyber liability policy and not rely solely on other primary policies with cyber add-ons.”

According to Sullivan, standalone cyber insurance policies make up the majority of cyber premiums, as per insurance rating agency AM Best Co.

Insurers have tightened up coverage language and reduced limits for high-risk threats, Kopser explained, such as “cyberextortion and indemnification for regulatory violations such as those related to the (Telephone Consumer Protection Act).”

Since the pandemic, cyberrisk insurers have demanded far higher premiums. They’ve also raised their standards for insureds, such as by requiring policyholders to keep antivirus software updated and mandating multifactor authentication for employee logins. Carriers are also offering free or discounted access to cybersecurity software.

Conversation Starters

Reach World Insurance Associates at: worldinsurance.com or call 732-380-0900.

Reach North Improvement LLC at: northimprovement.com or call 212-495-9172.