Why a BOP Cyber Extension Isn't Enough for SMBs

Standalone insurance offers significantly better protection from cyber risk

By At-Bay, Inc.

Many small to medium-sized businesses (SMBs) opt for a Business Owners Policy (BOP) as a cost-reducing way to bundle insurance coverages for general liability and property risks. Some insurance carriers offer cyber extensions as an add-on to BOP coverages, which SMBs on a tight budget might prefer as a more affordable solution in lieu of standalone cyber insurance. 

However, there are big differences between a cyber extension and a standalone policy. Often, a BOP cyber extension isn’t a sufficient solution for SMBs to manage their cyber risk.

Here’s why a standalone cyber policy offers significantly better protection from cyber risk:

What Is a Business Owners Policy? 

Business Owner Policies are often colloquially referred to as “slip and fall policies” because they are best known for covering bodily injury that occurs on company premises. In addition to this type of general liability coverage, they also bundle coverages for business interruption and damage to property or physical assets. 

Most BOP insurance does not include professional liability, auto, workers' compensation, health, disability, or cyber coverage.

What Does a BOP Cyber Extension Cover? 

Although BOP insurance typically focuses on physical rather than digital damage and excludes cyber coverage, some BOP providers offer an option to add on a cyber extension. The coverage offered by these extensions is extremely limited. They typically cover some third-party costs, primarily related to damages from regulatory or legal non-compliance resulting from a cyber incident.

BOP Cyber Extension vs. Standalone Cyber Insurance

Here’s a quick breakdown of the difference between a Business Owners Policy with a cyber extension and a standalone cyber policy:

Limitations of a BOP Cyber Extension

BOP cyber extensions can’t sufficiently protect SMBs from some of the biggest digital risks. The disadvantages include: 

Small sublimits. Cyber extensions usually have small sublimit caps at $50K or $100K. In the event of a claim, sublimits this low are unlikely to cover all costs, meaning your client may end up with large out-of-pocket expenses. 

According to 2022 data on SMB cyber incidents from NetDiligence, the average cost of a cyber claim for SMBs in 2021 was $170K, and the average cost of a ransomware claim was $450K. This means typical BOP cyber extension sublimits don’t come close to covering the average cost of SMB cyber claims.

Limited to no first-party coverage. BOP cyber extensions are designed to cover third-party claims, often explicitly excluding first-party costs. The following first-party coverages are typically excluded from BOP cyber extensions:

• Event Response: Covers costs associated with responding to a cyber event, including breach coach, forensics, notification, and credit monitoring costs.
• Data Recovery: Covers costs of data restoration and recreation of data that has been lost, corrupted, or destroyed due to a cyber event.
• Ransomware/Extortion: Covers the costs to mitigate the severity of extortion loss and the payment of funds/cryptocurrency/assets as requested by the malicious third party.
• Social Engineering/Financial Fraud: Covers theft of funds or computer fraud loss that the insured suffers as a result of a malicious actor duping them and/or impersonating an employer or client.
• Business Interruption: Covers the loss of revenue and associated expenses due to an interruption or outage of the insured’s system due to a cyber event or non-malicious system failure. 
• Reputational Harm: Covers lost business income due to an adverse publication stating they had a privacy event or network security event. 

No cyber risk management. Cyber extensions are unlikely to include access to risk management services like vulnerability scanning or exposure management that can help insureds reduce their risk of attacks that lead to loss. 

No vendor access. Even the best BOP cyber extensions don’t typically provide access to vendors, like digital forensics and incident response (DFIR), that are crucial to help SMBs recover after a cyber incident. 

Why SMBs Need Comprehensive Cyber Coverage

Almost all modern businesses are digital to some degree and can therefore benefit from cyber insurance. Cyber coverage is beneficial for any business that:

• Has a business email or website
• Uses computers/mobile devices
• Accepts credit cards or any type of digital payment
• Stores customer, employee, or supplier information (such as names, addresses, and emails)
• Keeps medical or financial data

There’s a myth that SMBs aren’t targeted by cyber attacks. This simply isn’t true. In fact, according to the NetDiligence Cyber Claims Study 2022 Report, 98% of cyber insurance claims in the five-year period between 2017-2021 came from SMBs with under $2B in revenue. 

Industry-Leading Cyber Insurance From At-Bay

At-Bay is the world’s first InsurSec provider designed from the ground up to help businesses tackle cyber risk head on. 

By combining industry-leading insurance with world-class cyber security technology, At-Bay offers end-to-end prevention and protection for the digital age. At-Bay helps its 30,000+ customers close their security technology and skills gap — all through their cyber insurance policy — making them up to 5X less likely to be hit with a ransomware attack as compared to industry average.¹ 

At-Bay’s standalone Cyber insurance goes far beyond the limitations of a BOP cyber extension, offering comprehensive coverage that helps SMBs thrive in the digital world. Get a Cyber insurance quote with At-Bay →

¹ Frequency Based on Primary and Excess Cyber and Tech Errors & Omissions losses reported and exposure earned through 9/30/2022, evaluated as of 10/1/2022, and 2020-2021 industry analysis.