“Cyber” insurance refers to the insurance coverage purchased to mitigate cyber security, data privacy and other risks. But selecting and negotiating the right insurance product can present a significant challenge given, among other things, the lack of standardized policy language and the fact that many “off the shelf” policies do not adequately match the organization’s risk profile.
A recent survey by Chubb Group of Insurance Companies found that 65 percent of public companies forego cyber insurance – even though they identify cyber risk as their number one concern. Meanwhile, a quarter of those surveyed are expecting a cyber breach in the coming year, and 71 percent have cyber breach response plans in place.
Ostensibly, high-profile and high-risk companies may appear to be at greater risk, but small-to-medium sized businesses are not immune. According to a recent study by the U.S. Secret Service and Verizon Communications, Inc., over 72 percent of all data breaches occurred in SMB businesses. The average cost of a breach? Over five million dollars, according to most financial analysts. Bottom line is we are all at risk.
So why do only 35 percent of companies invest in cyber liability insurance?
For one, many executives don’t know that it exists. And even if they do, they probably don’t think an attack will happen to them, or they’re not overly worried about the potential fallout of such a breach. However, for many more, the high cost of policy premiums is prohibitive.
Policy premiums are primarily based on your industry. For example, if you are an e-commerce company doing online transactions and storing data such as credit card information, you are considered high risk for data breach and thus subject to higher premiums. Medical-related institutions hosting data, such as date of birth information, social security numbers and medical records, are also higher risk.
Cyber insurance may be necessary based on the activities of an organization, including the scope and type of personally identifiable information and confidential corporate data maintained by the company and the manner in which (and by whom) such data is used, transmitted and stored. An organization should also consider the pervasiveness and manner of use of unencrypted mobile and other portable devices.
Separate cyber insurance may not always be necessary. Recently, a California federal district court held that there was coverage for a data breach affecting nearly 20,000 patients under a traditional CGL policy. (Hartford Casualty Insurance Company v. Corcino & Associates et al.) There may also be valuable coverage for data breach and network security liability and network security failures under an organization’s commercial property, D&O, E&O, professional liability, fiduciary, crime and other coverages.
The recent trend among CGL policies, however, is to exclude coverage for data security breaches and similar events. Insurance Services Office, Inc. (ISO), the leading provider of form-based insurance policies, recently filed a number of data breach exclusionary endorsements for use with its standard-form primary, excess and umbrella CGL policies, which will become effective in May 2014. These exclusions provide another reason for companies to carefully consider specialty “cyber” insurance products. Even where insurance policies do not contain the newer limitations or exclusions, insurers may argue that cyber risks are not covered under traditional policies.
As far as data breaches are concerned, cyber policies usually provide some form of “privacy” coverage. This coverage would typically provide defense and indemnity coverage for claims arising out of a data breach that actually or potentially compromises confidential personally identifiable information. A policy offering the privacy coverage will often offer coverage for civil, administrative and regulatory investigations, fines and penalties and, importantly, will commonly offer “remediation” coverage (sometimes termed “crisis management” or “notification” coverage) to address costs associated with a security breach, including:
- costs associated with post-data breach notification
- credit monitoring services
- forensic investigation to determine cause and scope of a breach
- public relations efforts and other “crisis management” expenses
- legal services to determine an insured’s indemnification rights where a third party’s error or omission has caused the problem.
Cyber insurance policies often offer other types of coverages, including:
- network security coverage (often in the same coverage grant as the “privacy” coverage discussed above), which generally covers liability arising out of security threats to networks, including, for example, transmission of malicious code and DDoS attacks;
- media liability coverage, which generally covers liability arising out, for example, infringement of copyright and other intellectual property rights and misappropriation of ideas or media content;
- information asset coverage, which generally covers an insured for the cost of recreating, restoring or repairing the insured’s own data or computer systems;
- network interruption coverage, which generally covers an insured for its lost revenue due to network interruption or disruptions resulting from a DDoS attack, malicious code or other security threats to networks; and
- extortion coverage, which generally covers an insured for the costs of responding to “e-extortion” threats to prevent a threatened cyber attack.
In addition to the main coverages, insurers increasingly offer complimentary pre- and post-loss risk management services, which can be valuable in preventing as well as mitigating attacks.
Businesses that do not deal with electronic data should ignore the potential need for cyber insurance. Data privacy laws do not distinguish between a breach resulting from a network security failure or a breach on account of stolen paper records from a closet. Cyber insurance policies may also provide coverage for events involving non-electronic data, such as paper records, or physical breaches resulting from, for example, the theft of a laptop or loss of a USB drive.
Axis Legal Counsel provides legal advice to numerous businesses with a variety of legal matters, including business administrations, corporate governance, operations, risk management / insurance, labor/employment matters, healthcare, and statutory/legal compliance. For information on retaining Axis Legal Counsel to represent your business in connection with any legal matter, contact [email protected] or call (213) 403-0130 for a confidential consultation.