What is Cyber Insurance?

Photo by Tima Miroshnichenko on Pexels.com

If you’re curious how Cyber insurance differs from Technology Errors & Omissions coverage, click here.

Cyber insurance is everything, but the definition is seldom agreed upon. That means that if you ask five different people for their definition, you may get a few different version. From an insurance point of view it means this:

  • First-Party Expense Coverage
  • Third-Party Liability Coverage

First-Party Expense

Before we jump into liability coverage, let’s unpack what we mean by First-Party Expense. Put simply, any expense that you incur as a result of a Cyber event would be considered First-Party Expense coverage, subject to the terms and conditions of your policy. Things like notifications sent to affected and potentially affected parties of the breach required by state law or statute; Credit monitoring costs; retaining a Public Relations firm to help you craft a response to the general public; hiring a Forensics company to research the event and evaluate its scope; costs associated with recreating lost or corrupt data.

And we haven’t even touched the elephant in the room: Ransomware. More and more policies are including coverage for Cyber Extortion expenses associated with a bad actor infiltrating your systems and encrypting your data, holding it for a Ransom. This ransom is usually requested in Bitcoin so there’s additional expense associated with obtaining the requisite digital currency. 

What about if the Cyber Event interrupts your normal business operations? Are your systems/applications hosted on premises or with a Cloud Service Provider? If your business is interrupted, it may affect your ability to generate revenue during the outage causing a Business Income loss. Every minute is valuable and getting back online as soon as possible is the goal.

Third-Party Liability

Now that we’ve touched upon expenses you may incur as a result of a Cyber Event, what about damages to 3rd parties that you may have caused? Wait a minute… You’re saying that if my systems are compromised by someone else that there’s a way for me to be responsible for damages to a 3rd party? Absolutely. If you hold Personally Identifiable Information (PII) during the course of your business, or if you provide a Professional Service related to securing someone else’s network then a breach in that security could fall back on you. Back to the Cyber Event from earlier. If your systems are down, and you host a Software-as-a-Service platform for your customers, and they’re not able to access said system that they’ve paid you for… See where this is going? If that customer relies on your SaaS product to conduct their business, and they can’t access it, you may have inadvertently interrupted their operations as a result. 

Or if you’re a retail operation that stores PII on behalf of your customers, what happens if your systems are breached and that information is stolen? If your customers were to suffer damages associated with Identity Theft you may be found liable for said damages resulting from a failure of yours to protect that information. 

Cyber Insurance can also cover things like allegations of Copyright or other Intellectual Property infringement in the course of your business operations; or even Personal & Advertising Injury stemming from things like libel, slander, false advertising, etc. 

Now more than ever, businesses of all shapes and sizes will come to rely on Cyber Insurance as more and more operations are taken online. For two years in a row, business owners have named Cyber as their Number One fear-driver leading to decision making. And Cyber events show no sign of slowing down. Ransomware is said to attack a new target every 14 seconds. You’ve been reading this article for, say, five minutes now. That equates to roughly 20 attacks since you’ve started. That’s a lot! 

Is your business protected from this growing threat? We can all agree that if you’re not, you should be.

What is Technology Errors & Omissions Coverage?

Sage Clements came by the Insurance Requirements studio to talk Tech E&O and Cyber coverage recently. We had a great conversation about why Tech companies need E&O and Cyber policies, why it’s important to read policy language, and what questions to ask your agent when choosing the right coverage for you.

But before jumping into that, I wanted to step back for a bit and write a primer on both coverages. In this post, we focus on Tech E&O. Keep an eye out for my next post on Cyber coverage.

As a Technology insurance underwriter, a lot of my conversations center around Technology Errors & Omissions coverage, or Tech E&O for short.

What is Tech E&O?

Tech E&O protects you against a customer’s claim alleging they suffered financial damages or economic loss from a:

  • Negligent act, error, or omission
  • Breach of warranty or representation
  • Failure to perform or serve intended purpose

Wow, who let the lawyer take over?! Why don’t we make that a little easier to understand, shall we?

Negligent Act, Error, or Omission

This means you made a mistake in your work that allegedly led to your customer’s economic damage. A mistake covered here might look like: failing to include code that integrates to critical systems, providing staff augmentation that did not have adequate expertise, or providing a software deliverable that was not to customer specification.

To be clear, coverage is for accidents, not intentional acts. Generally speaking, Tech E&O excludes coverage for things that you do on purpose to cause economic damage.

For most companies, you might be able to work with your customer to remedy the situation by providing a fix to the work in question, but it’s always a good idea to have insurance in place should the situation deteriorate into a lawsuit.

Breach of warranty or representation

You may not go as far to say that your product will 10x your customer’s revenue, but you may warrant uptime of your platform or that your product will be free of defects for a 12 month period.

Sometimes your product or service doesn’t live up to the standards you set forth in your contract. If that happens, your customer may allege financial damages. Financial damages could look like added expenses from having to implement a new solution in a hurry. Or your customer may have missed out on a big chunk of their revenue as a result of downtown.

Failure to perform or serve intended purpose

When talking about this this clause, I open the most eyes on Tech E&O coverage. I get a lot of pushback along the lines of, “I don’t need Tech E&O. My services never fail, I’ve never had an error. There’s no possibility of a claim from my customers.”

This mindset assumes that you have to do something wrong to be sued. This part of Tech E&O coverage really speaks to your customer’s perception, rather than a bug or error on your part.

For example, let’s say you run a company called Cymbal. You’ve created a software that allows your customer to track their sales activity. Your marketing is slick, including customer testimonials for days. Things like, “My company used Cymbal and we saw a 15% uptick in close rates,” or, “Wow, this software is the real deal, my revenue jumped 30% in less than 2 months.”

One day you have a new customer that gets up and running and doesn’t experience the same success as the testomonials. Their sales remain flat, and start to dive after 90 days. There’s nothing wrong with the software, but the customer’s intended purpose for using your software was to boost sales.

After a long implementation and onboarding period, they express they’re not satisfied. They explain they spent a lot of time and money on the software and it simply didn’t live up to their expectations. If they believe they can’t resolve the situation with you, the customer may choose to sue Cymbal, alleging financial damages from using your software.

Even if Cymbal is able to prove that there was no wrong doing or even if it was the customer’s fault, that doesn’t erase the lawsuit and the need for legal counsel to defend the suit. This is where Tech E&O coverage would step in.

In Conclusion

Tech firms provide professional services. For the most part, their software won’t physically harm someone or damage someone’s property. The biggest exposure, then, goes back to economic damage they may cause if their product/professional services fail.

Tech E&O is the policy you’ll want to secure to protect you from allegations of negligent acts/errors/omissions, a breach of warranty/representation, or the failure of your product/service to do what the customer intended.

Please keep in mind it’s important that you talk to your insurance agent or broker about purchasing the best policy for your unique situation.

Join me next time when we dive into Cyber Liability insurance.

Insurance Requirements Blog

Insurance professionals are problem solvers by nature. The technology space is no different. So after nearly a decade in the industry, I wanted to create a space to share the questions I’ve received and the solutions that were created.

This blog is designed to be a companion to my podcast by the same name, Insurance Requirements. Each episodes documents a founder’s journey in the insurance buying process. Each story touches on topics that deserve extra attention. Things like the differences between Cyber liability and Tech E&O. Information gathering practices. How acquisitions affect your insurance program.

Please join me here after listening to the newest episode of Insurance Requirements to continue the discussion.