Cyber Insurance Overview

Topics: Cyber Liability

Summary: Every organization can be the target of a cyber attack costing thousands of dollars in damage and reputation. To protect your business from a data breach on you and your customers’ personal data, it is crucial to recognize the signs of a data breach and how to prevent an attack on your business by having a cybersecurity plan and cyber insurance protection.

Cyber Liability Insurance Overview

Cyber insurance, or cyber liability insurance, is still a relatively new coverage, gaining increased visibility in the past decade since its introduction. Every employer, large or small, faces the reality that they could be the target of cybersecurity attacks or data breaches, which can jeopardize their credibility and cost thousands of dollars (or more) in damages.

What is Cybersecurity?

Data breaches can occur on a large and small scale, but most people are probably familiar with the more prominent incidents. Every employer faces the reality that they could be the target of a network security breach. A cybersecurity breach can jeopardize credibility and cost small businesses without cyber insurance thousands of dollars (or more) in damages and impact customer service, productivity and reputation.

A data breach occurs when sensitive information is accessed by cybercriminals who find the means to bypass network security from a remote location. They may steal personal and sensitive information like:
  • User names
  • Addresses
  • Phone numbers
  • Credit card records
  • Social security numbers
Cybersecurity, or information security, refers to the measures taken to protect a computer or computer system against unauthorized access from a hacker. A robust cybersecurity policy protects secure, critical or sensitive data and prevents it from falling into the hands of malicious third parties.

Every October since 2004 is designated as National Cybersecurity Awareness Month. Cybersecurity awareness has continued to grow, reaching consumers, small and mid-sized businesses, large corporations, educational institutions and young people across the United States.

AmTrust has a vested interest in cybersecurity, internally for our employees and externally, to help our agents and insureds understand the data breach risks. AmTrustCyber provides coverage for certain losses incurred from a cyberattack, and we are committed to evolving our policies as new cyber threats emerge.

Cybersecurity Risks

Cybersecurity Risks

Below are cybersecurity risks that can wreak havoc on a business:
  • Deepfakes: Developed from artificial intelligence technology, deepfakes can take an image of one person and replace it with another person’s likeness. In 2020, there were nearly 15,000 deepfake videos online. As the technology is easier to use, more people are making these types of videos, and their impact could be felt across the business, political and media worlds.
  • Ransomware Attacks: Ransomware is a type of malicious software designed to block access to a computer system until a sum of money (or ransom) is paid or some other action is completed. Sometimes, a ransomware attack is as simple as forcing the user to complete a survey. The most common types are lock screen and encryption ransomware. The lock screen shows a full-screen message that prevents the user from accessing their PC or files. Encryption modifies files so they can't be opened.
  • Smart Home Devices: The Internet of Things (IoT) technology has allowed us to connect to our cars, homes and multiple devices like never before. IoT devices continue to be developed with even more connectivity, producing tons of data that need protection from cyber attacks.
  • Data Privacy: The use of personal data must be explained to consumers simply and transparently, and in most cases, consumers must give their consent before their personal information is provided. As big data grows, privacy concerns are also increasing. The possibility of data breaches can put your business’s sensitive information in the hands of identity thieves.
  • Spear Phishing: Phishing, a type of social engineering scam, attempts to fraudulently obtain sensitive information using email. The email appears to come from someone that you know or have done business with. However, the message might include poor grammar, syntax errors, broken links, and the email address might be slightly different from the familiar one. The email could be written with a sense of urgency, demanding an immediate response. Spear phishing is a type of scam that targets a particular person in an organization directly.
  • Human Mistakes: In the past few years, there has been a rash of well-known cyberattacks on businesses, including British Airways, Marriot Starwood and Citrix. The 2018 Verizon Data Breach Investigations Report found that human mistakes caused 21% of data breaches.
  • Business Travelers: Business travelers can be more vulnerable to a cyberattack than those traveling for pleasure, mainly because they often carry laptops, cell phones and tablets with sensitive data on them. Those who travel internationally can be even more at risk due to strict customs regulations that allow officials to inspect electronic devices, including asking for passwords to access hard drives.
  • Interns: Hiring interns can be highly beneficial to small businesses to recruit and train future employees. Generation Z is one of the most enthusiastic groups of social media users to enter the workforce. And, while sharing their excitement for their new position can help positively promote a small business, the information they post daily can also be a veritable treasure trove for hackers.
  • Nonprofits: The perceived large coffers of nonprofit organizations and the inherent risks involved with daily business can put these organizations at risk for a cyberattack. There are several ways that nonprofits are prime targets for cyberattacks, including online donations, phishing scams, ransomware and potentially “bad” volunteers.

Type of Cyber Attacks

What is a Cyber Attack?

Cyber attacks threaten businesses every day, often resulting in damages up to hundreds of thousands of dollars or more. A cyber attack is a deliberate assault on a computer system or network that uses malicious code to make unwanted modifications or steal data. Some of the most common examples of cyber attacks include the following:

Social Engineering Scams

Cybercriminals commit their crimes through social engineering scams – the act of deceiving or manipulating someone into divulging confidential or personal information to use for fraudulent purposes. Social engineering scams come in many forms, including phishing scams sent via email to collect sensitive data, baiting scams that infect a computer with malware after the user downloads free music or movies, caller ID spoofing and more.


Malware, or “malicious software,” is a type of cyber attack that installs dangerous software on a user’s computer after clicking a harmful link or opening an email attachment. The malware essentially locks down the computer, blocking access to files and other vital components of the network, and obtains sensitive information.

One common form of malware is ransomware, which blocks access to the system until a sum of money is paid or another action is completed. Other types of malware include Trojan horses, malicious programs designed to look like typical software that tricks users into installing it. A malicious script is planted into an insecure website that will redirect the user to a site controller by the hacker.

SQL Injections and Other Web Application Attacks

A Structured Query Language (SQL) injection is a cyber attack that involves a hacker “injecting” malicious code into a service that uses SQL, forcing it to expose information it would normally not display, including customer details, user lists and other confidential company data.


A denial-of-service (DoS) attack occurs when hackers overload a system’s resources and cause it to become unresponsive to service requests. In other words, these attacks can shut down the system and make it inaccessible to authorized users. A distributed denial-of-service (DDoS) attack also targets the system’s resources, but the source comes from a larger amount of host machines, all infected and under the control of the cybercriminal. DoS and DDoS attacks can completely debilitate a website, especially when working in partnership with botnets.


A botnet uses bots, or robots, and exists across a network of devices comprising personal computers and other devices. Botnets drive various types of cyber attacks that can be used to steal personal information and passwords, spread spam and deliver viruses. They’re cheap and effective for cybercriminals to utilize, and as mentioned above, can also facilitate a DoS attack, flooding a webpage with traffic to ensure the site goes offline.

amtrust cyber insurance banner

How Can a Data Breach Be Prevented?

A data breach can also occur due to simple mistakes by employees. The Identity Theft Resource Center found that in 2019, 705 million non-sensitive records were compromised due to a data breach, while cyber attacks exposed over 164 million sensitive records. Non-sensitive data such as usernames or passwords could lead to additional exposure.

Warning Signs of a Data Breach

There are warning signs for a data breach that you can watch out for, including:
  • Unusual Software Behavior: Check your system for hardware and software irregularities.
  • Suspicious Files: If malware is detected or a user reports opening a suspicious file, assume that the malware has infected something.
  • Compromised System Communications: Regularly review communication patterns on the network.
  • Outdated Security Programs: Keep anti-virus and anti-malware programs up-to-date.
  • Changes in Credit Ratings: Customer information isn't the only confidential data on the server. Changes in your credit rating could be an indication of fraud and a sign of a data breach.

Data Breach Prevention Tips

Data Breach Prevention

Regardless of how big or small your business is, if your data, important documents or customer information is exposed, recovering from the aftermath could be difficult. In addition to knowing the warning signs, there are ways that businesses can prevent data breaches or cyber attacks.

Data Breach Prevention Tips

It's more important than ever that all businesses understand how to recognize the early warning signs of a data breach, the steps they can take to help prevent them, and how to protect themselves from certain losses incurred from a cyberattack. Below are some data breach prevention tips to keep in mind:
  • Set Security Protocols on Company Premises: Businesses should clearly understand the data that could become compromised to mitigate the risk of a cybersecurity attack.
  • Understand How to Classify Data: Classifying data within an organization helps businesses understand what level of protection it requires.
  • Keep Data Safeguarded: Many data breaches result from employee error, so ensure all employees are well-trained on how to keep sensitive information protected. Employees should only have access to the information vital to their particular roles within the company.
  • Implement Password Protection: One of the best things a small business can do to stay protected from a data breach is to utilize strong passwords for every site accessed daily. Additionally, passwords should never be shared amongst employees or kept written down where others can see them.
  • Update Security Software Regularly: Companies should utilize firewalls, anti-virus software and anti-spyware programs to ensure that hackers cannot easily access sensitive data and should be updated regularly.
Additionally, businesses should prepare for a cybersecurity attack by creating a comprehensive data breach response plan. A data breach response plan, also known as a security breach response plan or a cyber incident response plan, helps businesses appropriately respond to a cybersecurity attack by providing the necessary steps to respond in a straightforward, documented manner. While the details can and should be customized to the organization, there are certain things every security breach response plan generally includes.

Data Privacy

What is Data Privacy?

On its most basic level, data privacy is the consumers’ understanding of their rights as to how their personal information is collected, used, stored and shared. The use of personal identifiable information (PII) must be explained to consumers simply and transparently, and in most cases, consumers must give their consent before their personal information is provided.

What is Personal Identifiable Information?

Personal identifiable information is data relating to an identified or identifiable natural person, such as an ID number, location data, online identifier (like an IP or MAC address) or other specific factors. It also includes unique identifying data such as a Social Security number, driver's license number, financial accounts, email addresses, login credentials and passwords, addresses, phone numbers and birth date.

Laws Protecting PII

The European Union enacted the General Data Protection Regulation (GDPR), a comprehensive data privacy protection program, in 2018. The GDPR has been a model for privacy laws in the United States.


The protection of PII is the core of the European Union’s (EU) General Data Protection Regulation (GDPR). The GDPR, enacted in 2018, explicitly directs organizations to protect the personal information of all “data subjects” of the European Union. The protection of the PII data (and penalties associated with a data breach of it) are rights held by the data subject and enforceable inside and outside the European Union.

Any small business which processes the personal data of individuals within the EU is subject to the GDPR, no matter where the company has its headquarters. The GDPR provisions state that the laws apply to people within the EU, but not necessarily to EU citizens. This means that any company using the data of EU subjects, even if this company is stationed outside the EU, will need to comply with new ways of protecting data related to identifying information, IP address, cookies, health, genetic or biometric data, racial or ethnic data and sexual orientation.

California Consumer Privacy Act (CCPA)

The U.S. does not yet have an extensive federal data privacy law similar to the GDPR. Currently, it is up to individual states to develop personal data legislation. California was the first state to implement a law in January 2020, known as the California Consumer Privacy Act (CCPA).

The CCPA gives California residents an assortment of new privacy rights, starting with the right to be informed about what kinds of personal data companies have collected and why it is being used. The law stipulates that consumers have the right to:
  • Request the deletion of personal information
  • Opt-out of the sale of personal information
  • Access the personal information in a “readily useable format” that enables the easy transfer of the data to third parties
The CCPA excludes publicly available information via federal state or local government records and medical or health information collected by an organization governed by California’s Confidentiality of Medical Information Act or HIPAA.

Cybersecurity risks for remote workers

Remote Workers Cybersecurity Risks

Remote work is growing, especially since many workers switched to remote work during the pandemic, with some workers retaining a hybrid schedule moving forward. Remote employees can present a higher and ongoing cyber risk to their businesses for the following reasons:

Lack of Cybersecurity Training and Established Best Practices

According to Small Business Trends, 48% of cyber attacks were due to a negligent employee or contractor. Cybersecurity training for employees should be an ongoing process. It is vitally important that everyone in the company, especially those who work outside the office, is up-to-date on all security policies. Businesses should consider doing more to ensure all employees are consistently updated about any potential security vulnerabilities – and how to recognize and avoid them.

Using Unsecured Wi-Fi Networks

Employees often access company networks using Wi-Fi from popular or public locations (such as a coffee shop), making them more susceptible to the risk of an online attack. Most public Wi-Fi networks do not require authentication, which means the connections are not encrypted. Unencrypted networks could make it easy for malicious actors to steal data or access credentials.

Personal Use of Laptops or Lack of Physical Security

Using work devices to visit social media pages, answer personal emails or shop online are examples of a remote worker's risky behavior. Allowing non-employees like friends or family members to borrow devices for personal use is another example. This presents a risk of not monitoring the websites or files they access, potentially putting your company data at stake.

Physical Security of Company-issued Devices

Physical security of company-issued devices can also be a cybersecurity risk. This could be as simple as leaving a device out in the open at home or in an unlocked car.

What is Cyber Insurance?

Cyber insurance, also knowns as cyber liability insurance, provides coverage for certain losses incurred from data breaches and can help protect your company from a range of cyber attacks. The extent of cyber coverage will vary depending on the industry, the type of business and their specific needs. At a minimum, cyber insurance helps companies comply with state regulations that require a business to notify customers of a data breach involving personally identifiable information.

Many businesses may not realize they need cyber insurance, or may not understand it. From large corporations to school districts, organizations are hit by cyber attacks on a daily basis. Agents can help educate their insured about known risks, how cyber losses are compensated and what coverages are available. Businesses may think their other policies – property, liability, business interruption – cover cyber-related incidents, but often policies do not explicitly include or exclude cyber coverage, leaving it in a grey area. The best way a business can protect itself is to have a cyber liability insurance policy.

Growth of Cyber Insurance Market

The cyber insurance market has been growing as more businesses understand the need for protection from financial and reputational losses dues to security breaches and cyber attacks. With more businesses feeling the effects of data breaches and cyber attacks, the value of cyber insurance’s market share is expected to continue climbing. According to MarketsandMarkets™, the cyber insurance market is projected to continue to grow from $7.8 billion in 2020 to $20.4 billion by 2025, with an annual growth rate of 21.2%.

AmTrustCyber Insurance Coverage Protects Businesses

Loss of a client’s data can be devastating, especially for a small business. Loss of customer lists, proprietary information and business plans can force a business to start over. AmTrustCyber offers a single yber solution specifically tailored to protect small businesses against cybersecurity and privacy breaches. Our yber insurance product is designed to reimburse the client for costs incurred to restore data from backups or originals or to gather, assemble and recollect such data from other sources to the level or condition in which it existed prior to the breach.

AmTrust’s cyber insurance policies generally cover indemnification for legal fees and expenses, provide customer notifications in the event of a breach, and include the option to monitor the information of anyone impacted for a specified period. Policies may also cover costs incurred in recovering compromised data or repairing damaged computer systems. Our product includes call center services for affected customers and public relations and crisis management expenses to help protect the business reputation of your client. Contact us for more information about our cyber coverage.

This material is for informational purposes only and is not legal or business advice. Neither AmTrust Financial Services, Inc. nor any of its subsidiaries or affiliates represents or warrants that the information contained herein is appropriate or suitable for any specific business or legal purpose. Readers seeking resolution of specific questions should consult their business and/or legal advisors. Coverages may vary by location. Contact your local RSM for more information.

Time Zones