The data breach earlier this month that potentially exposed information about millions of federal government employees is yet another reminder that any organization that maintains data is at risk of being hacked. And rest assured that if you get hacked, you will incur substantial costs as a result, including substantial notice and related costs and potentially massive third-party liability claims.
We have written extensively about so-called "cyber" insurance, including how cyber insurance is neither comprehensive nor standardized. As a result, when you are shopping for your first (or next) cyber policy it is important to understand what types of coverages, exclusions and conditions are in the market. Making a well-informed purchase starts with knowing your options.
There are too many differences between cyber policies to cover in one blog post, and the market, still in its youth, is rapidly evolving. But here is a list of five important things—in no particular order—to consider when you're in the market for cyber insurance:
- Is your data covered wherever it resides? In today's world, a substantial amount of data resides outside the company walls, including with cloud providers and on mobile devices. Some cyber policies cover data in these locations, some may not. Depending on the policy, where your company maintains its data could be the difference between coverage and no coverage.
- The pros and cons of insurer-provided breach-response services. Many cyber insurers market themselves as a "one-stop shop" for a data breach response effort, offering policyholders their own network of data breach response specialists. This can be both a good and bad thing. Insurer-approved vendors can minimize disputes between policyholder and insurer regarding the expenses incurred during the response. On the other hand, a policyholder may have a preexisting relationship with a particular specialist or require special expertise that the insurer's vendors don't possess. Although you may not be precluded from using a vendor of your own choosing, you can generally expect a greater likelihood of a dispute with the insurer, including, most notably, regarding the vendor's fees.
- Coverage for failure to timely disclose breach. One of the most important actions that must be taken following a breach is notifying individuals whose personal information may have been compromised. Coverage for the cost of providing such notice typically is covered under a cyber policy, subject to certain potential limitations. But another common third-party claim is that the defendant-company failed to provide timely notice of the breach to the affected individuals. You will want to review any policy you are considering to ensure it covers such claims.
- Regulatory defense and fines. Government investigations following a large data breach—for example, by state attorneys general—are not uncommon. And they can be costly, both as a result of defense fees and potential regulatory fines. Coverage for regulatory investigations and actions is typical in cyber policies, but you should confirm the extent of coverage and look for any important exclusions or other restrictions on coverage.
- Watch out for exclusions. Cyber policies typically contain a lot of exclusions that cut away at the coverages provided by the policy. An example can be found in a recent lawsuit filed by a cyber insurer in which it disclaims coverage on the basis of one such exclusion. Collectively, the numerous exclusions found in cyber policies have the potential to substantially narrow the coverage you thought you were purchasing. That problem is compounded when exclusions are worded broadly and/or vaguely.
These issues—and others—must be considered when analyzing the myriad, one-size-does-not–fit-all cyber policy offerings in the market today. Particular attention should be paid to those issues that are most likely to be important to the policyholder given the specific nature of its business.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.