Several recent, large-scale cyber events, including both data breaches and cyber attacks, demonstrate that companies, both large and small, must protect themselves against the risk of a cyber event. Cyber insurance policies can be an effective means of mitigating such risk, and with the average cost of responding to a data breach or cyber attack now in excess of $6 million, the decision to obtain such a policy is not necessarily a difficult one. But finding the right cyber insurance policy can pose a much more challenging task.
Although traditional CGL policies may, in limited circumstances, still provide coverage in the event of a data breach or cyber attack, relying on such policies to cover cyber liabilities has become increasingly risky and uncertain. In fact, many insurance companies now require the exclusion of cyber liabilities from CGL policies. Indeed, although the Fourth Circuit recently held, in Travelers Indemnity Co. v. Portal Healthcare Solutions, LLC, 644 Fed. Appx. 245 (4th Cir. 2016), that the insured's CGL policy provided coverage against a lawsuit for the alleged digital publication of private medical information, that holding will only serve to further motivate insurers to require specialized cyber insurance policies.
For a number of reasons, the process of selecting the right cyber insurance policy is unlikely to be as straightforward as picking between traditional providers for an auto insurance policy. Instead, because of the lack of standardization in the cyber insurance industry, a company in the market for cyber insurance is likely to find countless variations in coverage offerings. Although this lack of standardization provides opportunity to negotiate coverage options, it also makes comparing policies and finding coverage suitable for specific business needs more difficult, and creates a risk of obtaining a policy with critical gaps in coverage.
Consequently, before acquiring a cyber insurance policy, a company should be sure to first develop a complete understanding of the cyber risks specific to its business, thoroughly evaluate the extent to which its cyber insurance policy options cover those risks, and consult with a broker and legal counsel to make sure that it obtains a policy that adequately covers the types of risks that actually matter.
Understanding the Types of Cyber Insurance Coverage
The two main types of cyber risk coverage that companies generally consider include first-party coverage and third-party liability coverage:
First-Party Coverage can cover direct costs associated with responding to a cyber event, such as the unintended disclosure or loss of personal information, the theft, destruction, or loss of data caused by a crime or fraud, and the introduction of malware or viruses. Cyber events such as these can give rise to a number of significant costs including, among other things, costs for:
- Forensic investigation (i.e., costs for determining cause/impact of cyber event)
- Legal advice (i.e., costs to determine notification and regulatory obligations)
- Business interruption (i.e., losses of profit and extra expense due to network down time)
- Post-breach notification (i.e., costs for notifying potentially affected parties)
- Credit monitoring (i.e., costs for providing credit monitoring to potentially affected parties)
- Crisis management (i.e., costs for educating potentially affected parties)
- Hardware replacement
- Data restoration
Third-party liability coverage can cover costs associated with claims, lawsuits, and regulatory inquiries arising from a cyber event, including, among other things, costs for:
- Privacy liability (i.e., defense costs, judgments, and/or settlements associated with claims brought by employees or customers who suffer a breach of privacy due to a data breach or cyber attack)
- Data breach liability (i.e., defense costs, judgments, and/or settlements associated with claims arising from data breach incidents, such as claims for statutory violations or common law breach of contract or negligence)
- Electronic media content liability (i.e., defense costs, judgments, and/or settlements associated with trademark and copyright claims arising from dissemination of electronic materials)
- Regulatory response (i.e., costs for responding to regulatory inquiries relating to a cyber event, including costs associated with investigations, fines, and penalties)
The cyber insurance market is filled with policies providing different combinations of these coverage types, so developing an understanding of each is a critical step in selecting a cyber insurance policy. A company armed with this understanding, along with knowledge of cyber risks specific to its business, can more effectively determine which of its cyber insurance policy options best suits its needs.
Understanding the Provisions, Disclaimers, and Exclusions in a Cyber Insurance Policy
Companies in the market for cyber insurance should also consider the provisions, disclaimers, and exclusions in each of its cyber insurance policy options. Here are some examples of questions that companies should ask themselves in doing so:
- Does the policy contain exclusions that are relevant to the company's business activities?
- Does the policy provide for a broad trigger of coverage (i.e., coverage for any failure to protect customer information, not just intentional breach; coverage for regulatory investigations, not just lawsuits)?
- What are the policy's limits and deductibles?
- Does the policy provide a right to choose defense counsel?
- Does the policy provide coverage for acts or omissions of third-persons (e.g., vendors)?
- Does the policy's coverage territory match company needs (e.g., regional vs. national vs. worldwide)?
Take Steps to Prevent a Cyber Event Altogether
Although cyber insurance can provide broad protections in the event of a cyber attack or cyber breach, companies should also put in place sufficient internal cyber security measures to limit the chances that a cyber event happens altogether. By doing so, a company can limit the chances of being hit by costs unlikely to be covered by cyber insurance, such as reputational harm, loss of future revenue, and costs to improve internal technology. And as an added benefit, by increasing preparedness for a cyber event, a company can make itself a more attractive prospective insured and find better rates and better coverage.
Data breaches and cyber attacks can be extraordinarily costly events, both for a company's bottom-line and its reputation. Companies should therefore be sure to take a well-rounded approach to protecting themselves that includes, at the very least, a cyber insurance policy tailored to its specific needs and internal cyber security measures designed to limit their chances of falling victim to a cyber event. And should a data breach of cyber attack occur, it is important to coordinate with legal counsel to ensure that a claim is presented to maximize coverage.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.