Because Leadership Means Getting Insurance Right

Vouch insures seed-stage and venture-backed technology startups.

And startups that defy categorization
Vouch Presents

Knowledge

Resources to help you manage risk and succeed with insurance
Knowledge

Cyber Insurance for Startups: Top Concerns and Insights

Lynn Brown
Journalist
David Kaufman
Insurance Advisor Team Lead

As cybercrime becomes more sophisticated and widespread, especially with distributed teams and the emergence of the hybrid work environment, cyber security is an even more pressing concern for startups.

Additionally, as the majority of data and financial transactions for businesses are occurring electronically, consumers, businesses, and organizations of all sizes are looking for ways to protect themselves, their information, and their assets from online threats. Cyber insurance offers companies the safety net they need to operate online platforms without the fear of sensitive information being leaked, stolen, or mirrored and can help protect startups should a breach or cyberattack occur.

While at first glance it may sound like banks, financial institutions, and other highly regulated industries are the only ones who need to invest in cyber insurance, in reality, many startups from Software as a Service (SaaS) to life science companies have sensitive client data that needs to be protected.

What should founders look for and make sure their cyber insurance covers?

There are many factors to take into consideration. Some of the most common elements in a comprehensive cyber insurance policy include:

●  Data breach coverage

●  Privacy breach coverage

●  Restoration costs

●  Cybercrime

●  Business interruption coverage

These coverages exist to help companies in the event that a hacker gains access to your system or there has been a data or privacy breach. Breach response and restoration cost coverages help startups cover the costs of identifying the source of the breach and making consumer-announcements, in addition to helping with legal fees and other third-party costs.

Business interruption insurance, both on your own network and through cloud service providers, can also help startups replace income lost in the event of a breach or an attack, should the cyberattack lead to a shutdown or interruption in their networks.

Some policies will even include protection against cybercrimes committed that involve the theft of financial information or securities. These can be extremely helpful coverages to include in a policy in the case of a breach that leaves your company open to financial liabilities.

In terms of exclusions, it’s important to identify if cyberattacks that are considered “cyber terrorism” are excluded in your policy. For example, during the NotPetya ransomware attack that caused $10 billion in loss damages and affected companies world-wide, the cyberattack was considered to be state sponsored terrorism and was not covered by many insurance polices, and companies were forced to pay out-of-pocket for lost income and damages. 

What are the types of risks my startup is more susceptible to if I have a lower/higher coverage limit? 

When setting your limits in a cyber policy, two of the largest factors are the elevated risk and the “underwater costs.” Cyber insurance is a risk-transference tool that not only helps your business protect itself against liabilities and financial loss in the case of a breach, but also makes you a more attractive organization for potential business partners.

A lower coverage limit in your cyber policy could leave you susceptible to paying additional fees such as identity restoration and credit monitoring costs for affected parties, computer forensic fees, and legal fees.

What are the most common coverage limits for companies like mine?

Just like with any other insurance policy, there is no universal coverage that works for everyone. Each company is going to have slightly varying coverage needs. However, there are some specific areas you can evaluate to find out how much coverage is right for your organization.

First, conduct an internal evaluation on how much customer information your company stores and what type of information is being stored. For instance, first names and email addresses are much less sensitive information than social security numbers and bank accounts.

Additionally, when considering business interruption coverage, assessing the worst-case scenarios around downtime and the recovery period is helpful when selecting your business interruption limit.

You should also be sure to assess your company’s risk tolerance and partnership requirements. Many organizations will only conduct business with firms that meet a certain standard of risk. If you partner with companies like these, you’ll need a higher coverage.

What is not covered by my cyber insurance policy?

Just as each cyber policy is crafted and tailored to fit the needs of specific companies, the exclusions in your cyber policy may vary as well.

Every insurance policy comes with a clearly defined list of included and excluded coverages. In most cases, an exclusion exists in the instance that it’s an event meant to be covered under a different policy.

If I don’t handle sensitive customer information, do I need cyber insurance? Why?

If your company doesn’t handle, work with, or store sensitive consumer information, cyber coverage may not seem like a necessity. There are other benefits, though, to carrying cyber insurance beyond keeping sensitive information secure.

For instance, if there is a breach, and your company is pulled into a lawsuit in response to that breach, cyber insurance policies can be activated to help cover the legal fees and other costs associated with making your defense. A very common scenario, for example, is when a startup stores sensitive consumer information using an outside vendor, such as a cloud service or for payment/billing purposes. Should that payment or cloud service provider be hacked, the startup could potentially be named in a lawsuit alongside the outside vendor and be financially liable for expenses and damages their customer incurred.

Additionally, any startup that relies on their online systems to conduct business can benefit from having business interruption and cyber insurance in place should their product experience down-time related to a breach event. If a startup is providing SaaS, network availability is essential. In the event of a Distributed Denial of Service (D/DOS) attack, it could cause financial impact both to the client (i.e. productivity) and the startup (business income).

What is the difference between the first and third-party coverage limits?

This is an important distinction to understand when setting your limits and choosing the best cyber policy to keep your business and your customers protected.

A first-party claim on a cyber policy is filed when a company’s own system is breached. At that point, the limit on the policy helps cover fees and costs associated with notifying customers, monitoring and restoring credit, and conducting forensic analysis.

Third-party claims on a cyber policy, on the other hand, are when your customers are affected by the breach. This is when the private or sensitive information of others gets leaked, thereby opening your company up to potential lawsuits. In this instance, third-party coverage on a cyber insurance policy assists with defense and law fees, settlements, and judgements.

An important note: when business partners require that your company have cyber insurance they are often referring to the third-party limit.

Will my cyber insurance policy pay for ransomware? What about social engineering?

There are cyber coverage policies that include coverage for cybercrime and can be activated in response to cyber extortion (i.e. ransomware). Cyber extortion is a threat or series of threats made by an outside person or entity that is prolonging or tampering with sensitive data events. In the instance that your organization undergoes a cyber extortion event, your cyber insurance policy can cover both extortion costs, and costs associated or incurred through social engineering.

Why are the costs of cyber insurance increasing across the board?

When it comes to pricing insurance, there are two main factors that adjusters consider: the first is how frequent claims of that nature come in; the second factor is how costly a claim of that category is. Taking these two things into account gives a sense of how to price an insurance policy.

The onset of the pandemic swiftly accelerated the virtual economy and remote workforce this past year, which in turn accelerated the amount and frequency of cybercrimes. The remote workforce in particular has been a huge target for cyber criminals, as the line between personal and professional equipment can often get blurred when working from home.

Why should I invest in cyber insurance and cyber security? What are the benefits and ROI?

A report in 2020 marked a massive increase in activity in cybercrime, and as a result found a nearly 200% ROI on investments in bolstered cyber security.

Is there a deductible I have to pay when I make a claim?

Depending on how the cyber insurance policy is set up, there will likely be a retention fee/deductible. It’s important to note that most cyber insurance policies are designed to protect companies from catastrophic losses, not common customer disputes. As such, the higher the limits requested, and the more risk exposure your company brings, the higher the retainer or deductible will be.

How do I make a cyber insurance claim?

Sign in to your Vouch account and click “file a claim.” At Vouch, we respect and appreciate that our customers are busy and so we’ve simplified the claim-filing process. After hitting the “file a claim” button, you’ll be asked for a brief description of the claim, and hit submit.

After that, a member of the Vouch team will reach out to you within a business day with next steps.

What are the risks of not getting a cyber insurance policy?

While cyber insurance policies are optional, with the threat of cybercrimes growing, the risks of not having this insurance go up as well. In fact, a cyberattack can be a business-ending event: 60% of startups and small businesses that are victims of a cyberattack go out of business within six months.

Many companies and investors also require that you have some kind of cyber insurance policy in place before they’ll partner with you. Your company could also end up with high costs to pay in the instance of a breach if you opt out of insurance. The decision whether or not to invest in this type of insurance really comes down to how at risk your company is and how high your risk tolerance is.

Want to know more about cyber security and the coverage options Vouch provides?

Startups save up to 24% by bundling insurance coverages through Vouch. As the underwriter, Vouch has re-engineered insurance end-to-end to remove hidden fees and paperwork from start to finish. To find out more about Vouch’s cyber insurance policies, click here.


About Vouch

Business insurance for top startups.

Vouch is a new kind of digital insurance provider that protects startups from mistakes, litigation and attack.