The recent well publicized data breaches of Equifax, Uber and other companies underscore the need for businesses of all sizes to protect themselves against the risk of a cyber-attack. Many insurance companies are excluding cyber liability from their traditional CGL policies. As such, businesses should secure effective cyber insurance policies to mitigate their risk. However, finding the “right” cyber insurance policy presents unique challenges.
Unlike the health, auto, and professional liability insurance areas which are heavily regulated with detailed underwriting standards, cyber insurance has limited underwriting standards and choosing the right one can be a daunting challenge for a business. Indeed, a purchaser of cyber liability insurance is likely to be presented with many variations and coverage offerings. This lack of standardization, however, does provide opportunity to negotiate coverage options. Indeed, many cyber risk insurers have more freedom to negotiate with prospective policy holders, modify underwriting standards and rates, and adopt new policy provisions than new carriers of other insurance products.
There are two types of cyber risk coverage that your company can consider: first party coverage and third party coverage. First Party Coverage covers losses associated with responding to a cyber event. This could include the loss of personal information, loss of data caused by a crime or fraud, or the introduction of malware or viruses into the computer networks. Some of the salient costs of a cyber event that you should ensure are covered in the cyber policy you select include:
-
Hardware replacement
-
Crisis management
-
Forensic investigation (hiring of an IT forensic specialist to determine the cause and origin and details of the cyber-attack)
-
Attorney’s fees (for example, the cost of insuring compliance with regulatory obligations and notice requirements)
-
Business interruption
-
Post breach notification (the cost of complying with state and federal statutes regarding notification of the breach to affected customers)
-
Credit monitoring
-
Data Restoration
Third-Party Coverage includes cost associated with lawsuits, claims and regulatory actions which may arise from the cyber event including:
-
Regulatory response (the cost of responding to regulatory inquiries related to a cyber-attack)
-
Electronic media content liability
-
Data breach liability
-
Privacy liability
Additionally, you should consider, depending on your unique business needs, whether the cyber security policies you select covers such items as the following:
-
Laptop insurance
-
Cyber business interruption coverage
-
Coverage for cyber extortion and terrorism
-
Coverage for litigation regulatory enforcement proceedings
-
Coverage for network security coverage
-
Coverage for data breach crisis response including recognition, response planning and recovery planning. Possible retention of forensic specialist depending on the nature of the breach and your company.
-
Lost/stolen data and digital assets
Securing the proper cyber insurance policy considers the coverages available and your business may want to review the following additional factors when selecting a cyber policy:
-
Evaluate your existing insurance coverage. It is important to understand what coverage may be available under existing policies which will enable you to purchase the type of cyber insurance your company needs.
-
Identify your company’s risk. Depending on the nature of your business, you face many risks. For example, with healthcare companies, banks or retailers, a primary concern may be the theft of personal financial information of their customers or clients. On the other hand, companies like utility companies face the risk of business interruption through physical attacks on its computer networks. As such, businesses must tailor their coverage to protect the risk that they face.
-
Obtain appropriate insurance limits. Your company should assess the anticipated costs associated with a data breach with the limits of liability available and their related cost. The cost of responding to a data breach can be substantial. Your company should try to match the limits of liability with its realistic exposure in the event of a cyber loss.
-
Evaluate coverage exclusions. Because cyber insurance is a new product, policy language is typically not standardized. For this reason, it is important to carefully analyze exclusions and policies, and if necessary, negotiate with the insurer, or seek other quotes.
-
Consider coverage for acts and omissions by contractors and other parties. If your company outsources data processing or stores to a third party vendor, it is important that your cyber insurance policy provide coverage for claims that may arise from the negligence of one or more of your vendors. Consider including insurance coverage requirements in all of your vendor contracts.
-
Obtain coverage for lost information on laptops and other unencrypted devices. Many cyber insurance policies provide coverage for loss of data through personal computers and provide coverage for such losses. If your company provides company owned laptops, it is recommended that you obtain coverage for such losses.
-
Obtain coverage for regulatory actions. In addition to data loss, your company could be the subject of a regulatory action in the event of a cyber-attack. It is recommended that your company obtain a cyber insurance policy that provides coverage for a regulatory investigation or regulatory action arising from a cyber incident.
-
Obtain coverage for data restoration costs. It is recommended that you obtain cyber insurance to include coverage for the cost to replace, upgrade or maintain the computer system that was breached. As the costs are potentially prohibited.
Because the market for cyber insurance is not mature, the scope of coverage available and cost can vary significantly from insurer to insurer, it is important to involve both outside counsel and an insurance broker with experience and knowledge about cyber insurance in your selection process.