Cyber Insurance and Your Business

Disclaimer: JobNimbus is not an insurance provider, insurance broker, or law firm. Nothing in our communications — including conversations with our support team, social media posts, help center articles, or any other materials — constitutes insurance advice, legal advice, or a recommendation to purchase or decline any insurance product.

JobNimbus maintains its own cyber insurance coverage. This coverage is specific to JobNimbus and its obligations. It does not extend to, replace, or supplement any insurance coverage that your business may or may not carry.

Questions about your business’s insurance needs should be directed to a licensed insurance broker or qualified legal counsel familiar with your specific circumstances.

What This Document Covers

We hear this question more often: “Does your cyber insurance cover my business?” It’s an important question, and we want to help you understand how it works so you can make informed decisions with your own insurance broker or legal counsel.

This document explains how cyber insurance works in the context of a SaaS (Software as a Service) provider and its customers.

How Our Cyber Insurance Works

Cyber insurance policies cover the named insured — the company that purchased the policy. We maintain cyber insurance that covers JobNimbus.

Our policy is structured around two categories of coverage, which is standard for SaaS providers:

First-party coverage protects us against our own direct losses from a cyber event, such as:

Incident response and forensic investigation costs
Business interruption losses to JobNimbus
Data restoration costs
Notification obligations that fall on us

Third-party coverage protects us against claims made by others — including customers — alleging that a security or privacy failure on our end caused them harm. This coverage funds our legal defense and any resulting settlements or judgments, up to our policy limits.

What Our Policy Does Not Do

Our cyber insurance policy does not:

Name our customers as insureds
Pay customers directly for their losses
Extend coverage to our customers’ businesses
Replace or supplement any insurance coverage you may or may not carry
Cover incidents that originate outside of our systems

Our policy responds to claims made against JobNimbus. It does not cover your independent costs, obligations, or liabilities — even when a cyber event involves our platform.

Your Independent Obligations

Regardless of what insurance we carry, your business has its own legal and regulatory obligations related to data protection. These obligations exist because of your relationship with your own customers and employees — not because of your relationship with us.

Breach Notification

All 50 U.S. states, the District of Columbia, and U.S. territories have data breach notification laws. These laws generally require the entity that has the direct relationship with affected individuals to provide notification when personal information is compromised. In some cases, that entity is your business, not your SaaS provider.

Notification timelines vary by state — some require notification within 30 days of discovery. Many also require notification to the state Attorney General above certain thresholds.

Incidents Originating from Your Environment

Not all cyber incidents originate at the SaaS provider. Common scenarios include:

Employee credentials compromised through phishing or credential stuffing
Multi-factor authentication not enabled on user accounts
Security settings within the platform configured in a way that exposes data

In these cases, the SaaS provider’s systems functioned as designed. Because the incident originated from the customer’s environment, a SaaS provider’s cyber insurance generally does not cover the resulting losses.

Limitations in SaaS Agreements

SaaS agreements, including ours, contain terms that affect how losses are handled. Common provisions include:

Liability caps: SaaS agreements typically cap the provider’s total liability, often tied to fees paid over a defined period.
Exclusion of consequential damages: Most SaaS agreements, including ours, exclude indirect, incidental, and consequential damages — which can include lost profits, reputational harm, regulatory fines, and third-party claims.

These provisions are standard across the SaaS industry and mean that contractual recovery may not cover the full scope of a customer’s losses.

Your specific rights and limitations are governed by the terms of your agreement with us.

Questions to Discuss with Your Broker

If you are evaluating whether your business should carry its own cyber insurance, the following questions may be useful in a conversation with a licensed insurance broker:

Does the policy cover losses caused by a cyber event at a third-party service provider I depend on? (This is sometimes called “dependent business interruption” or “contingent business interruption” coverage.)
Does the policy cover regulatory defense costs and fines?
Does the policy cover breach notification costs, including legal counsel, forensic investigation, and credit monitoring?
What is the waiting period before business interruption coverage takes effect?
Does the policy distinguish between a “security failure” (malicious attack) and a “system failure” (operational outage) at a vendor?
Does the policy cover incidents originating from my own environment (compromised credentials, employee error)?