Part of any company’s contingency plan for financing losses that might arise from cyber threats should include a review of its current insurance coverage and an assessment of the costs and benefits of obtaining cyber-specific insurance coverage.
Questions that should initially be addressed, and items to consider in this regard, include:
1. Are we protected under our Commercial General Liability insurance coverage?
There are likely significant limitations on the protection provided by such coverage due to limitations of the coverage to losses arising from damage to “tangible” property (as opposed to intangible data losses) and specific exclusions of coverage for damage to electronic data.
2. Are our directors and officers adequately protected from suits by shareholders and regulatory agencies?
Increasingly, D&O insurers are taking much harder looks at companies’ information technology safety and security, and are considering including exclusions or limitations on the protection they provide under their policies.
3. Is the company itself protected from claims by customers, regulatory agencies and other third parties under our D&O policy?
For publicly traded companies, in particular, the answer is likely “no” because of limitation of the coverage to securities-related claims.
Given these limitations on coverage under the more traditional forms of insurance coverage, insurers are developing new cyber-specific insurance coverage forms. The policy forms are often menu-driven, where a company can pick and choose the particular coverage it wishes to include in the policy. This might include protection for costs associated with the company’s direct losses arising from business interruption, extra expenses, and reputation damage resulting from a breach event.
Additionally, a cyber policy may provide protection against third-party claims and associated losses and expenses arising from:
-
Failures of network security systems
-
Wrongful disclosure of information
-
Regulatory investigations arising from privacy and data breaches
-
Forensic investigations following breaches
-
Customer notification expenses following a breach
-
Costs associated with providing credit monitoring and identity protection services to customers following a breach
Given the relative infancy of cyber insurance, there are no standardized policy forms utilized by insurers. Every insurer writes the coverage on its own policy forms, and the scope and breadth of protection can vary widely from one insurer to the next. Seemingly small differences in the wording of the policy forms can lead to significant differences in how the policies will potentially respond in the event of an actual claim. At the same time, however, the terms and conditions of the policy forms are typically highly negotiable and can be tailored to cover the risks posing the greatest threat to any particular client.