
Every company needs insurance ā nothing new there. Liability and property coverage are just the costs of doing business.
But what if you get a ransomware threat? Would insurance pay out? Can you even insure against cyber risks? And do you need something called E&O coverage?
āThe traditional commercial insurance like property, general liability, auto, umbrella and workers comp are still important,ā says Kyle Drumwright, president of Starke Agency of Montgomery.
But cyber coverage is becoming critical in an era when the average ransom payment tops $600,000, according to law firm BakerHostetlerās 2023 Data Security Incident Response Report.
First, the basics.
āAlmost every business at least needs general liability coverage,ā says Brian Tanner, managing principal at Epic Brokers in Birmingham. And, if they have employees, they need workerās compensation. If they have automobiles, they need liability and physical damage coverage. He recommends extra limits, also called umbrella policies, and something called executive risk. That covers directors and officers, employment practices and fiduciary coverage. Why? A common example is wrongful termination.
There are three ways to analyze coverage needs, Tanner says ā contractual requirements, the company balance sheet and āenough limits so you sleep good at night.ā
Two businesses may look very similar on paper, Tanner explains, but one is well managed with a strong balance sheet. The other isnāt.
āThe guy whose balance sheet is strong needs to buy more limit than the guy whose balance sheet is weak,ā he says. If a lawsuit goes over your insurance limit, someone with substantial assets has āa lot to lose.ā
As for determining specifics, insurance brokers can help.

āWe consider ourselves risk management consultants,ā says Grantland Rice IV, chief administrative officer of Cobbs Allen of Birmingham. āIn a lot of cases, we may be telling a client youāre buying too much insurance, or you need to restructure your insurance.ā
All businesses need property and casualty/liability, he agrees. Cyber is high on the list. Marine policies can cover goods in transit.
āSometimes youāre buying insurance the wrong way,ā Rice says. āThatās just not something you can do online.ā
Cobbs Allen has teams in specific areas like construction, education, real estate, natural resources, health care, manufacturing and distribution.
In incidents like workplace injuries or OSHA citations, Rice says, āWe have some great consultants that can come in and navigate those things.ā
Insurance professionals can help with general issues, too, like employee retention.
āIn a lot of cases the business owner has a problem we can help with,ā says Rice. A company might benefit from an improved safety manual or employee training. āHow you structure your benefit plan could be driving your problem of keeping workers,ā he suggests.
Once past these basics, brokers and agents agree the buzzword is cyber.

āThe increase of crime and cyber policies have shown the demand and importance of protecting yourself as we are moving our businesses more digitally,ā says Drumwright. āThose types of threats are impacting all businesses regardless of their online presences.ā
Costs vary widely and are driven by industry type, he adds.
Ā āIf you are in the health care, education or financial services sector you will be paying more for these products,ā Drumwright says.
Companies with good internal risk controls have an advantage. āIf you are a best practices company, from a cyber security standpoint you can expect to pay in this range ā small: $3,500; medium: $7,500; large: $15,000 or more annually.ā
Cyber liability insurance can cover costs incurred āto recover from and remediate data breaches, ransomware, computer attacks as well as lost revenue resulting from these incidents,ā explains Andy Lott, Birmingham regional president of the Insurance Office of America.
āIn addition, cyber insurance covers financial fraud such as funds transfer fraud, and defense and liability related to claims alleging violations of privacy laws and statutes, the propagation of malware, infringement of intellectual property and regulatory proceedings,ā he adds.
Cyber insurance is now āa fundamental requirement for businesses looking to protect themselves and their clients from financial losses and reputational damage,ā Lott says.
āNowadays all of my clients buy cyber insurance,ā says Tanner. Ransomware is a big threat, even to smaller companies.
āThey are easier targets,ā he says. āTheir systems are less sophisticated.ā
In phishing cases, bad guys can hack in a system and just watch for a while, Tanner explains. If they see when a manager is going out of town, they might send the CFO a fake email asking for $5,000 to go to a specified person.
āItās never a big number. Itās a small number,ā he says. āWire $5,000 bucks here, $10,000 bucks there. Itās amazing how many people fall for that.ā
As if basic cyber coverage werenāt enough to worry about, technology providers should consider something called Technology Errors and Omissions insurance, or Tech E&O, Lott adds. That protects against claims of negligence or failure to perform professional duties due to errors, omissions, negligence or product failures within a companyās licensed, sold, manufactured and developed technical products and services, he explains.
Software developers are especially vulnerable to claims arising from customers āthat are cyberattack victims due to the exploitation of vulnerabilities embedded in the source code of their technology products,ā Lott says.
The bright spot is that cyber liability rates are moderating, Lott says, as carriers get a handle on the true cost of risks. Price increases for coverage seem to be slowing, he says, and better risk management may be reducing losses. But each businessā exposure is unique, so prices vary considerably.
Claims can be from thousands to hundreds of millions of dollars. Often there is no correlation between the records exposed in an incident and the ultimate cost, he says.
āWhat we can know is that the financial implications of a major cyber incident can be extremely high, especially considering direct costs (incident response, legal costs, notification costs and regulatory fines) and indirect costs (reputational harm and loss of business).ā
The impact can be ācatastrophic,ā Lott says.
Gabe Clement, branch manager of the Byars|Wright Birmingham office, says remote work can add another layer of risk.
āAn organization enabling its employees to work remotely may have a significantly higher risk if there arenāt cybersecurity controls in place, especially controls on home networks that leave businesses exposed,ā Clements says.
Tanner points out that with cyber coverage, āwhat youāre really buying is the consultants who help you defend it when it occurs.ā
One of his clients clicked on a bad link and was asked for $50,000. Because the right experts came in immediately and rebuilt the system, āthey lost one dayās worth of work. That was it.ā
āNot all cyber policies are created equal,ā notes Rice. āSome donāt cover what people think they cover, which is another reason why people should talk to a person.ā Some policies have āsublimitsā for things like ransom attacks.
āYour social engineering limit could be significantly lower than your actual limit and people donāt realize it,ā Rice says. āYou thought you had a million dollarsā worth of coverage and you only had $25,000.ā
But, he adds, āEven insurance wonāt cover the reputational harm of it.ā
Deborah Storey and Art Meripol are freelance contributors to Business Alabama. She is based in Huntsville and he in Birmingham.
This article appears in the September 2023 issue of Business Alabama.