Cyber Insurance: Protection for the New Normal

Cybersecurity breaches have become commonplace. In 2017, the global economy incurred an estimated loss of over $450 billion for cyber-related crimes and security breaches. It is no longer a question of whether a business will fall victim to a security breach or malware attack, but only a question of when.  A cybersecurity event can have catastrophic financial and reputational consequences on a business. One of the most-effective tools to manage the risk of cyber-attack is for a business to have adequate insurance coverage in place to help it survive after a cyber-event occurs.

Cyber coverage can take many forms. As a starting point, businesses should carefully review their existing insurance policies to determine whether and under what circumstances cyber coverage is included or can be added to their existing policies. The interplay of the many policies that a typical business maintains can be complicated and evolve over time. A business interested in meaningfully assessing its present coverage would do well to conduct a full coverage assessment with the help of its broker, lawyer or other professional.

In years past, it was assumed that many traditional policies would provide some cyber protection, whether unintentionally or by design, depending on the nature of the claim and policy. For example, general liability policies might offer coverage for claims asserted by customers whose information is compromised due to a security breach. Directors and officers insurance could be interpreted to protect executives and board members that were named as defendants in a cyber-related suit for failing to properly secure the companies’ technology or disclose the cyber-risk to its investors. Professional liability insurance could be argued to apply when, in the course of providing professional services, a cyber incident occurred. Similarly, property insurance might cover physical damage to servers, computers or other hardware that was caused by a cyber-attack.

However, these traditional policies were not drafted with cyber threats in mind. As such, the policies were generally ill-suited to address substantial aspects of the harm a company suffers as a result of a cyber-attack. Additionally, as the cyber threat has grown, insurance companies have increasingly made clear, in their policy language or endorsements to the policy, or through judicial decisions resulting from coverage disputes, that cyber claims are excluded from the traditional coverage.  As such, even a careful, well-insured company may find itself without adequate insurance if it falls victim to a cyber-attack.

As part of its insurance program or on a stand-alone basis, a business should consider obtaining a separate cyber insurance policy. Because the cyber insurance industry is relatively new and untested, there are no standard terms and each policy needs to be read carefully to ensure that the business is, indeed, getting coverage that is appropriate to that business’s practices and cyber exposure.  Nevertheless, despite the variations, cyber policies generally provide for two types of coverage with separate coverage limits – referred to as “first-party” and “third-party” benefits.

First-party benefits cover items that are often the most costly consequences of a cybersecurity event and would almost never be covered by traditional insurance.  First-party benefits are triggered by a cybersecurity event, whether or not a claim is ever made. Coverage may include:

Pre-Event Services

• Risk assessment and recommendations as to amelioration of present cyber vulnerabilities. This may be provided as part of the underwriting process;
• Assistance in creating a “rapid response plan” and retention of panel of cyber experts that will be available to the business when an event occurs.

Investigation and Response

• Cost of forensic investigation to understand how the cyber incident occurred, how to prevent it from occurring again and how to repair damage caused by it;
• Assignment of approved legal and cyber experts to work with insured;
• Use of a “breach coach” to coordinate response from beginning to end in a legally defensible manner;
• Payment of “ransom” up to the insured limits in the event of ransomware or cyber-extortion attack.

Notification

• Notification of the public and affected customers, in compliance with applicable federal and state laws and industry regulations;
• Notification and coordination with local and federal law enforcement;
• Cost of credit monitoring for affected customers;
• Public relations and reputation remediation costs.

Business Losses and Expenses

• Lost profit and related expenses from business interruption;
• Cost of data restoration and repairing/replacing damaged equipment or systems;
• Cost of security upgrades and other safeguards to mitigate damages and prevent future incidents.

The third-party benefit of a cyber policy is more akin to traditional forms of insurance. It is intended to provide defense and indemnity benefits to the business for claims made against it by others that allegedly arise from a cybersecurity event. The third-party benefit provides coverage as follows:

Regulatory Fines and Third-Party Claims

• Legal settlements or damages awarded to third parties, including affected customers that may file a privacy cause of action or tort claim, or affiliates that may file infringement claims for breaches of copyright or trademark rights, etc.;
• Certain regulatory fines incurred under federal and/or state law;
• Legal counsel to represent the company’s interest in legal proceedings concerning claims or fines.

The exact coverage and insurance amounts will vary depending on the insurance policy that is obtained, which should also be proportionate the risk and potential exposure a business may face in the event of a cyber incident, depending on the size and type of business. Businesses should be proactive in reviewing their insurance policies with their insurance brokers and legal counsel to maximize their potential for recovery when a cyber incident occurs.