Does Professional Liability or E&O Insurance Cover Cyber Losses?

Nearly every small business needs cyber liability and data breach insurance. The question is where to get it from: your existing professional liability/E&O insurance, a blended policy, or standalone cyber insurance?

Cyber threats show no sign of abating. According to a recent Ponemon Institute study, 66% of U.S. small- and medium-sized businesses suffered a cyber attack in 2019. This was an increase of 20% since 2016. The study, 2019 Global State of Cybersecurity in Small- and Medium-Sized Businesses (SMBs),” also found that 71 percent of SMBs worldwide have received at least one cyber attack in their company’s lifetime. The average direct cost of such incidents and the ensuing business disruption was $1.9 million and $1.24 million, respectively. 

If you own a small business, it’s hard to ignore statistics like these. That’s why increasing numbers of business owners are getting serious about cybersecurity planning. This involves conducting a risk assessment, installing robust defensive measures and developing an incident-response plan. They’re also buying cyber liability and data breach insurance in order to mitigate the financial costs of a cyber attack or internal breach. However, cyber insurance is a relatively new market and there are multiple ways to transfer your cyberrisks to an insurance company. 

Questios you should consider:

Which path should you take? 

What expenses are covered with cyber insurance?

How much does cyber security costs for a small business?

Look for gold-standard cyber protection

In most cases, SMB owners will benefit most from buying a standalone cyber liability and data breach insurance policy. We define such a policy as one that provides robust first-party and third-party protection in one convenient policy. First-party coverage means your insurance would pay for expenses such as:

  • Retaining a forensic IT expert to determine the cause of your loss. 
  • Paying outside consultants to help repair damage to your IT hardware, software and databases. 
  • Notifying clients and third parties that a cyber attack or data breach exposed their business or personal information. 
  • Providing credit-monitoring services to affected individuals and businesses. 
  • Addressing reputation issues by retaining crisis-management and public-expertise.  
  • Suffering lost income due to not being able to operate your business after an attack or breach. 
  • Paying a ransom to a cyber criminal who has locked you out of your computer system by encrypting it without your knowledge.

The expenses just listed are those you incur after a cyber attack or data breach. They repair or mitigate the damage yourcompany suffered so you can quickly return to business as usual. Third-party protection has a different focus. It covers legal and other claims against you from outside firms and entities that experienced a loss due to your cyber attack or data breach. It’s designed to cover the legal liabilities that arise after an incident, typically those resulting from a professional error or omission.

Third-party protection covers expenses such as:

  • Retaining an attorney to defend you against customer or other third-party legal claims. 
  • Paying for settlements or judgments against you due to a cyber incident. 
  • Responding to a government inquiry regarding your cyber attack or data breach. 
  • Resolving regulatory complaints and fines and/or penalties levied against you due to your role in the incident.  
  • Paying card-industry fines for violating industry standards. 
  • Resolving legal claims from those alleging you divulged their personal or proprietary business information.

Standalone cyber insurance generally provides a comprehensive safety net for all covered first and third-party expenses that arise after a cyber attack or breach. Thus, to have the broadest protection, consider buying a dedicated (i.e., standalone) cyber liability and data breach policy with the largest liability limits you can afford. 

However, you may decide you do not want or are unable to afford such coverage. You may reason that because of the nature of your business, your first-party risks are nominal and that your existing professional liability or errors and omissions insurance policy should cover your third-party exposures. That’s a viable option, but does have one downside.

Value of professional liability/E&O for cyber

Professional liability or E&O insurance only covers legal claims in which third-party cyber losses occur due to your failure to properly carry out your professional duties. If you suffer an attack or breach that didn’t result from professional negligence, then your insurance may not cover the claim. Consider this example. You took reasonable steps to protect your computer system and data against outside attack. You hired a smart cybersecurity consultant to conduct a risk analysis and to develop a cybersecurity plan. Then you took the person’s advice. However, an exceptionally smart hacker breached your system anyway, releasing confidential customer and vendor information. Chances are, third-party entities would have a hard time proving your professional negligence caused their loss. You took prudent defensive measures, but a skilled hacker defeated them. Therefore, your professional liability or errors and omissions insurance might not cover legal claims against you. 

Furthermore, if your cyber incident involved damage to your own equipment or data or other expenses such as loss of business income, computer diagnostic/repair services or the cost of providing customers with credit monitoring, then your standard professional liability insurance might not respond to your claim, either. This is because, by definition, it’s liability insurance. It only covers legal expenses that result from third-party legal claims, not first-party (your company’s) expenses.

To rectify this situation, some insurers have added limited cyber liability coverage to traditional professional liability policies. This often takes the form of a privacy endorsement so that if a hacker steals client information off your data server, you’ll be protected against third-party lawsuits.

Value add of bundled/blended cyber

In some cases, insurers go beyond making limited E&O modifications to bundle or blend features of cyber liability and data breach protection with their E&O insurance. The benefit of this approach: you get professional liability coverage plus first- and third-party cyber liability/data breach coverage combined in one policy. However, keep in mind that this approach may provide less protection than if you bought standalone E&O and cyber liability/data breach insurance.

In short, regardless of whether you use your existing professional liability insurance to cover your cyberrisks or buy one that has limited cyber built in, a blended solution or two standalone policies, it’s important to carefully think through your insurance decision. Here are some pointers to get you started:

  • Understand the full scope of your SMB cyber risks. Then, take steps to ensure your desired cyber solution adequately addresses those risks. 
  • Read the specimen policies (or policy) carefully to see how first- and third-party losses are handled. 
  • Study your policy to see how coverage is triggered and what exclusions apply to each type of loss. 
  • Consult with an insurance expert to make sure a blended policy doesn’t have coverage gaps that can leave you uninsured after a devastating cyber loss. 

Finally, don’t skimp on your limits of liability in order to save money. Being penny wise and pound foolish about your cybersecurity may have catastrophic results for your firm and for everyone affiliated with it—your partners, employees, vendors and others. Avoid these by making a careful insurance purchase decision that puts cyberrisk prevention and mitigation front and center. Offering the most transparent benefits and coverage, standalone cyber insurance policies will generally be your best option. As Sean Kevelighan, CEO of the Insurance Information Institute explains, “Standalone policies are recommended to ensure the appropriate levels of coverage for all types of businesses.”