Cyber Insurance: The Coverage(s) You May Need For a BreachAugust 6, 2020
According to the World Economic Forum, in 2019, cyberattacks were among the global risks most likely to increase across the private sector within the next 10 years. Not only are they expected to increase, but cyberattacks already occur with frequency. In 2018, 62% of businesses experienced phishing or social engineering attacks. In the first half of 2019, data breaches exposed 4.1 billion records and the average cost of a data breach was $3.92 million. It takes on average 314 days to contain a breach.
When a cyberattack affects a company’s data, such as financial or transaction information and/or customer or employee personal information, the company may face a variety of losses and expenses. Although these might be mitigated somewhat by a traditional commercial insurance policy, it behooves businesses to consider additional coverage for cyber-specific protection. Additionally, because cyberattack strategies and threats evolve rapidly, such policies should be reviewed by experienced counsel to identify any newly created gaps. This alert details some types of security threats and insurance coverage to mitigate potential damage from cyber threats.
Types of Security Threat
Cyber risk takes many shapes. One of the most common is the “cyber breach”—a successful attempt by an attacker to gain unauthorized access to an organization’s computer systems. Another is the “data breach”—an intrusion that exposes personally identifiable information (PII) in the business’s custody. Both types can result in a loss of data integrity, security, and confidentiality, can expose the business to liability, and can arise from either internal or external causes.
Internal causes might involve employees who fail to safeguard access to a company laptop or other media containing PII, security configuration errors that inadvertently expose PII to public-facing websites, or improper disposal of hardware containing PII or paper copies of PII.
External causes include “hacking,” where an external intruder attempts to penetrate the business’s network to access data. Another common tactic is to gain access to legitimate business email accounts and use them to send fraudulent instructions to transfer funds, or to gain intelligence on company operations and then set up “typosquatting” domain names from which fraudulent emails are sent, masquerading as the business. Hacking attempts do not always involve programmers using computers to break into secured systems. It is usually far easier to gain access through “phishing” scams, where the hacker calls or sends an email to busy employees to try to trick them into providing authentication credentials. Such attacks are both internal and external: the external threat of a hacker taking advantage of the internal threat of an overly trusting employee who has not been adequately trained on phishing schemes.
Types of Coverage and Categories of Cyber Insurance
Similar to home, health, and car insurance, cyber insurance coverage varies. Companies should pay special attention to what costs are reimbursable, who is protected, and when the insurance provider will cover damages or other losses. For example, in addition to protecting consumer data when an incident occurs, because companies store a variety of employee data, a company should confirm that its cyber insurance policy includes coverage for loss of employee data. A gap in this type of coverage leaves employees defenseless if their medical and health insurance information, banking and payroll data, or social security numbers are compromised during a cyber incident. In addition, policies can be negotiated to ensure coverage for each company’s unique vulnerabilities and weaknesses. To help formulate the best insurance fit, some providers conduct simulated hacks to uncover weaknesses. Likewise, a company can assess its protection needs by performing internal system audits and, based on the results of these audits, developing a threat intelligence framework that identifies potential vulnerabilities so it can negotiate its policy accordingly.
Types of Coverage and Categories of Cyber Insurance
Policies can be classified by whether they cover first-party or third-party risks. First-party risks involve the loss or damage to a company’s own data. Typically, these policies cover costs associated with responding to data breaches, such as notifying affected persons, providing credit monitoring services for affected persons, establishing call centers to field questions, and hiring professionals to assist investigation, such as attorneys, public relations firms, and computer forensics firms. Additionally, coverage can include compensation for a company’s lost income resulting from a cyber or data breach, restoring lost data, and administrative safeguards and support to avoid future breaches, such as training employees and creating incident response plans. These policies often specify an overall limit per incident and sub-limits for types of coverage. For example, a policy with a $3 million overall limit might have a $100,000 sub-limit for notification expenses. Thus, a company should closely examine a policy to ensure that it would provide adequate coverage for each anticipated expense.
Third-party risks involve liability to clients, customers, vendors, the government, regulatory entities, or other third parties. Coverage typically provides protection for damages and litigation expenses arising from actions against the insured company following a cyber incident. Holders of such policies include tech companies and IT consultants that could be blamed for errors that led to a breach. For example, a network security company that establishes cybersecurity for a client could be blamed if the client suffers a breach and believes the company was negligent. Policies, including third-party coverage, typically provide for regulatory defense costs, fines, and punitive damages as well as litigation defense costs and damages. Companies that outsource certain network operations to third-parties should pay special attention to policies that cover losses arising out of non-controlled network incidents.
Regardless of the source, the most prominent cyber risks for a company are privacy risks, information risks, and operational risks. Cyber insurance is designed to protect companies from these risks, through five main categories, each followed by the contingencies covered:
- Network Security Coverage—network security failure that results in a data breach, malware infection, cyber extortion demand, ransomware, or business email compromise. Network security failure results in a broad range of expenses, including legal, IT forensics, negotiation and payment of ransomware demands, data restoration, breach notifications, setting up a call center, public relations expertise, credit monitoring, and identity restoration for victims.
- Privacy Liability Coverage—cyber-incident or privacy law violations. This covers costs that arise from contractual obligations or regulatory investigations by governments and law enforcement.
- Network Business Interruption Coverage—a company's network, or a provider’s network that it relies on to operate, goes down due to an incident. Such a policy allows for recovery of lost profits, fixed expenses, and extra costs during the time business was affected. This coverage provides protection from loss due to security failures such as through third-party hacks, and system failures due to factors such as a failed software patch or human error.
- Media Liability Protection—intellectual property infringement, other than patent infringement, resulting from advertising services online, including social media posts, or printed advertising.
- Errors and Omissions Coverage—negligence or breach of contract. It encompasses legal defense costs or indemnification resulting from a lawsuit or dispute with customers when cyber events prevent companies from fulfilling contractual obligations or delivering services to customers.
While the five main categories are relatively comprehensive, a one-size-fits-all policy is rarely the best fit for a company. A well-negotiated policy contains nuanced enhancements that provide better coverage for a company’s unique vulnerabilities. These could incorporate the following:
- Social Engineering Coverage is designed to protect companies from funds-transfer fraud situations, but this is often listed as an exception in a one-size-fits-all policy.
- Reputational Harm Coverage protects companies from loss of revenue over a specified period due to brand reputation damage owing to a cybersecurity incident.
- Bricking Enhancement covers the replacement cost of technology when equipment is rendered useless by a malware attack.
Even with such provisions, cyber insurance generally will have exclusions such as potential future lost profits, loss of value resulting from intellectual property theft, and the cost to upgrade internal security measures. Companies should bear in mind that cyber insurance does not preclude the need for well-established information security measures such as educating employees, having a documented response plan, using multifactor authentication methods, installing anti-malware software, and maintaining current definitions.
Lewis Rice has a team of attorneys with broad experience in helping companies review and negotiate insurance policies. Our expertise includes navigating policies for avenues to coverage, defending claims, and providing individuals with notice, both in the event of a breach and as part of larger data breach response efforts. If your company needs assistance with cyber insurance or responding to a cybersecurity incident, please contact one of the attorneys in our Cybersecurity & Data Privacy Practice.
Jenna M. Koleson contributed to this article.