According to the Identity Theft Resource Center, businesses experienced 571 breaches in 2018, exposing over 415 million employee and customer records.[] Business breaches accounted for almost half—46%—of all breaches. Although we most often hear about big corporations falling victim to cyberattacks, small businesses are the most vulnerable.

Without big technology departments and IT staff, small businesses are most likely to need cyber liability insurance. This type of small business insurance will help you respond effectively to a cyber breach, cover your costs, and quickly move on. In this article, you’ll learn more about what cyber liability insurance covers, what it costs, and where to purchase it.

Cyber liability insurance, sometimes short for cybersecurity, privacy, and media liability insurance, helps your company respond in the event of a cyberattack or data breach. If your network or computer systems are hacked into or corrupted by a virus, for example, cyber liability insurance can be essential.

Often, a general liability insurance policy or professional liability policy will contain basic cyber liability coverage. However, businesses that store personally identifiable information (PII) for employees or customers should have stand-alone or enhanced cyber liability insurance. PII includes any data that can be used to identify a particular individual, such as name, data of birth, email address, social security number, credit card number, or bank account number.

There are numerous ways that a cyber breach can occur. For example, hackers can send phishing emails to customers in which they masquerade as your company. If a customer clicks on a link in the email, the hackers can steal PII. Or a hacker might use a virus or ransomware to corrupt your data files.

The main way to protect yourself against cyberattacks is with strong internal safeguards. For example, small business owners should limit access to PII to a limited number of people in the organization. You should have strong passwords on electronic devices and to access different software tools. And you should regularly update your passwords and software.

According to Brian Gill, cofounder of Gillware Data Recovery, “Security should be the number one boardroom agenda of any business. Technical and physical safeguards should be in place. Insurance coverage is an added layer of protection which enables the business to call upon the insurer in their moment of need.”

Cyber liability coverage can vary widely based on which insurer you’re purchasing the insurance from.  The reason is that there’s no such thing as standard cyber liability insurance. Insurers have started offering cyber coverage only within the last couple of decades.

Judy Selby, a cyber law expert and principal at Judy Selby Consulting LLC, says, “Unlike many other more traditional lines of insurance, there is no standard policy form for cyber insurance. Each cyber insurer has its own policy form, utilizing its own, unique policy language. This creates challenges for companies trying to compare one cyber insurance policy with another.”

Despite the variations, Selby says most insurers offer two types of coverage within a cyber liability policy:

This coverage pays for immediate expenses that a company incurs after a cyber breach. This includes:

• Cost of notifying employees and the public
• Repairing any damaged software or hardware
• Protecting the company’s reputation with a marketing and public relations response
• Business interruption costs and missed income while business operations are suspended
• Extortion money (used to appease a hacker who threatens your data or systems unless you pay them a ransom)
• Other ancillary costs, such as paying for credit monitoring for customers

This coverage helps the company defend against lawsuits and legal claims. This includes:

• Privacy lawsuits claiming that you breached the privacy of customers or employees
• Fines from regulatory bodies
• Media liability claims, such as copyright infringement, libel, or slander.
• Breach of contract or negligence claims

On top of first- and third-party coverage, some insurance companies also provide risk mitigation services to help you identify and avoid cyber threats before they happen. After a breach has occurred, some insurers will set up a hotline that customers and members of the public can call to get more information.

It’s important to carefully read through your cyber liability insurance policy and understand any exclusions.

Cyber liability insurance commonly excludes all of the following:

• Bodily injury or property damage claims: Cyber liability insurance won’t protect claims of bodily injury or property damage. That’s where a general liability policy comes in.
• Loss of property: Losing a piece of property, like a phone or computer, is generally covered by commercial property insurance, not a cyber policy.
• Criminal activity: Typically, a cyber liability policy won’t insure against fraud, robbery, employee theft, or other crimes. Commercial crime insurance can offer this coverage separately.
• Social engineering: One way in which cyber criminals target their victims is through social engineering—tricking people into transferring company funds. Not all cyber liability policies cover social engineering. This may come with a smaller coverage limit, or it might be an optional add-on.

When you purchase a cyber liability policy, you agree to maintain appropriate security measures in order to prevent a cyber incident from happening in the first place. If you fail to maintain these security measures, then coverage might be denied. For example, let’s say that an employee accidentally clicks on a link in an email, which causes malware to corrupt the company’s computer systems. If it’s later found that the company didn’t install any anti-malware software, the insurance company could deny coverage for failure to use preventative measures.

As this example shows, it’s important to know what you’re agreeing to and to have proper security procedures in place. You can put these protocols in place on your own. Alternatively, there are external security firms that can help you get up to speed.

Cyber liability insurance can cost anywhere from as little as $500 per year to as much as $50,000 or more per year. By tailoring coverage to your business’s needs, you should be able to find a cyber liability policy that fits your budget.

Here are the factors that affect the cost of cyber liability insurance:

• Coverage limits: The higher and more complex your coverage needs, the more expensive your policy will be. For example, if your company uses multiple servers or if you store a lot of customer data, your insurance will be more expensive.
• Data access: Limiting access to sensitive data can help you save money. For instance, if you grant data access only to senior employees, that could help. Having an in-house security expert can lower costs as well.
• Security measures: Effective security measures, such as installing antivirus software and network firewalls and regularly updating your passwords, can lower your premiums.
• Industry: A business that operates primarily online will face more cyber threats, and pay correspondingly more, than a brick and mortar business with a low-traffic website. Similarly, businesses in certain industries—like healthcare and accounting—that store the most sensitive types of data will also pay a higher premium.
• Claims history: If you have a history of multiple claims, the insurance company might charge you a higher premium.

Compared to other types of business insurance, the cost of cyber liability insurance is higher because the fallout can often be much greater. When you add up all the costs involved with a cyber incident, it can be very expensive. A small business needs to contain the crisis, respond to customers, deal with public relations damage, fix damaged hardware or software, recover lost profits, and cover the cost of any legal claims.

It can be challenging to figure out how much cyber liability coverage you need. Essentially, you need to work backward from a hypothetical cyber incident and figure out how much coverage it would take to recover from the breach.

According to a study by IBM Security and the Ponemon Institute, the average cost of a data breach was $148 per affected record in 2018.[2]The same study found that the average time required to identify and contain a breach was 197 days and 69 days, respectively.

We suggest using those numbers as jumping-off points for your own business. Consider how many sensitive records you store, what type of records, and where they are stored. If your business experienced a breach, what measures would you need to take to inform your customers and protect their interests? How long would this take? On what channels do you store sensitive data (e.g. website, remote services, mobile devices, etc.)?

How much would it cost to replace any affected hardware or software? Do you have an in-house security team that can help you mitigate the damage, or would you need to bring in a consultant from outside the organization? Do you have an in-house public relations professional to answer questions from the public about the breach?

Answering these questions can help you figure out how much coverage you need to protect your business. Business owners who don’t have the technical interest or knowledge can hire an IT security firm to audit the business and determine risk levels. After an audit, an insurance broker should be able to help you double-down on your coverage limits.

When in doubt, says Shari Claire Lewis, a partner in Rivkin Radler’s Privacy, Data & Cyber Law practice group, consider going up in coverage. “Surprisingly, the cost of insurance coverage does not generally go up in direct proportion to the amount of coverage. Because the vast quantities of claims will occur in the lowest level of insurance, additional coverage is often quite affordable. We recommend that any business… purchase the amount of coverage that it can afford.”