As costly data breaches and hacking attacks make international headlines, hefty regulatory fines are levied, and the Securities and Exchange Commission (SEC) advises public companies to review the adequacy of their disclosures relating to cyber security risks and cyber incidents, insurance policies covering cyber security exposures — so called “cyber insurance” — are starting to gain more and more prominence. In fact, the SEC notes that a company’s disclosure may include a description of relevant insurance coverage. While cyber insurance is not a replacement for diligent in-house data security policies and procedures, prudent businesses should seriously consider it as part of their risk management program.
Despite the increasing awareness of cyber and privacy risks and perils, questions abound about the coverages available under cyber insurance policies and how those policies relate to more traditional coverage forms. Since virtually every entity, regardless of size, faces some sort of cyber risk, it is incumbent on entities to examine their cyber vulnerabilities and assess how they can best protect themselves from cyber liabilities.
Identify your cyber perils
The first step in the process should be an evaluation of an entity's exposure to cyber perils. Not every company is the same, and the cyber and privacy risks facing an online retailer, for example, would be different from those facing a consulting company. A one-size-fits-all approach to this step is not advised.
Prominent privacy and cyber perils include: expenses related to computer forensics, breach notification, and credit monitoring; liability to third parties for privacy breaches; damage to computer data caused by an employee or a third party; business interruption due to failure of the company's or a service provider's network security; and expenses connected with regulatory actions arising out of breach of privacy regulations, including coverage of fines and penalties. In addition, many entities face significant exposure related to credit and debit cards, including fines assessed for violation of the Payment Card Industry Data Standards. Companies facing a data breach also may be thrust into a public relations nightmare.
Companies should take an enterprise-wide approach to this step to ensure that the risks facing all divisions within the business are incorporated into the assessment.
Examine your existing insurance program
Next, carefully examine your existing insurance policies to determine how the coverages you currently have match up with the cyber risks you have identified. Traditional property and liability policies, as well as fidelity bonds, can contain some protection against cyber risks. Kidnap and ransom policies also may provide coverage for cyber risks associated with an extortion demand.
That said, many traditional policies make clear that damage to "data" is not covered. They typically exclude coverage for "damages arising out of the loss of, loss of use of, damage to, corruption of, inability to access, or inability to manipulate 'electronic data' that does not result from physical injury to tangible property." Electronic data is defined broadly and includes information, facts or programs stored as or on, created or used on, or transmitted to or from computer software (including systems and applications software), hard or floppy disks, CD-ROMs, tapes, drives, and cells. Some policies also contain exclusions specially targeting privacy and cyber risks, such as exclusions for Telephone Consumer Protection Act (TCPA) claims.
The insurance program review is complicated by the fact that most entities are insured under a variety of insurance policies that must be considered individually and in relation to each other. Due to the complexity of these issues, entities should consider bringing in experienced counsel and insurance brokers to assist with this analysis.
Consider cyber policies to fill the gaps
If you've identified coverage gaps — the exposures your company faces that are not covered by your existing policies -- you should consider purchasing cyber insurance. Cyber policies generally provide coverage for liability arising from a data breach and for responding to a regulatory action following a breach. They also typically cover costs related to forensic investigations to assess and remediate a breach, to notify affected parties of a breach, and to retain public relations professionals to mitigate any fall-out from a breach. Damage to and restoration of data, as well as lost income arising from an interruption of the insured's business due to a cyber event, also can be covered.
Not all cyber insurance policies, however, are created equal. Because cyber insurance is still in its nascent stages, there is no standard policy language in widespread use, as is the case with more traditional policies, and many policies are manuscripted to suit the particular needs of the parties. Therefore, careful evaluation of coverage options is especially important, and potential insureds should seek the input from various departments within the organization, including IT, human resources and finance, to ensure that any cyber policies under consideration address the organization's specific coverage needs. Input from these sources also will be important during the insurance application process.
Companies in the market for cyber and privacy coverage should ensure that any policy under consideration applies to the appropriate coverage territory — worldwide versus a more limited territory — and that the trigger of coverage — coverage activated when the loss occurs versus when the claim is made — is best suited for the company's needs. Retroactive coverage is desirable for many companies, particularly for first-time cyber insureds. Exclusions must be closely examined as well. In addition to consideration of these coverage options, entities need to look at issues such as available policy limits, sublimits and deductibles, premiums and the insurer's claims handling processes and capabilities in the event of a breach.
Given the variety of complex issues involved in this analysis, entities should consider seeking the assistance of experienced counsel and brokers to help identify their cyber and privacy risks and to obtain the most suitable cyber insurance policy to address those risks.