Cyber Security and Data Breaches:

Insurance Protections, Risks and Claims

Cyber Insurance

Cyber specific insurance coverage is a type of standalone insurance that has really developed and expanded greatly over the past five years. The cyber insurance market is worldwide and ever expanding. These insurance policies vary greatly, as they are negotiable and tailored to each insured, depending on its individual needs and risks.

Covered First Party Risks

Covered first party risks include coverage for: (1) business income disruption or extra expenses; (2) lost data; (3) cyber extortion or Ransomware attacks; and (4) other costs associated with dealing with the event.

Business Income Disruption and Other Expenses: When a breach or attack occurs, this covers losses from business interruption, lost income, lost business opportunity and expenses in excess of normal operating costs, in order to repair the system.

Lost Data: This covers the expenses associated with recreating, restoring, and recollecting the data that was lost or stolen, in an attack. This insurance will cover the costs of repairing corrupted data and the costs spent on vendors to recreate unrecoverable data.

Cyber Extortion: In a Ransomware or cyber extortion attack, this covers the negotiations and payments of the ransom to get your data, information or system back.  It will also cover the investigation and analysis of the event.

Costs to Manage the Event:  In addition, these policies also cover the other costs associated with dealing with a breach, such as the costs of hiring public relations experts, credit monitoring, sending notifications, and giving sales discounts to keep your entity in good standing with its customers.

Covered Third Party Risks

Covered third party risks include coverage for: (1) defense costs associated with a privacy breach; (2) liability for the insured’s network security failure; (3) any failure to give proper notification of the breach, should such failure occur; and (4) liability for media and professional liability.

Privacy Breach Defense Costs: This covers the costs relating to penalties and fines administered by regulators, based on a privacy breach.  It will cover the cost of regulatory investigations, liability and defense costs, preparation costs to testify before regulators, and any lawsuits by consumers or financial institutions.

Failed Network Security Liability: When a breach occurs, there has inevitably been a failure of the network’s security system. This will cover costs for liability and defense of lawsuits by consumers or financial institutions.  This includes coverage even if the insured’s security system in place was inadequate or the insured failed to have proper policies and procedures in place relating to technology security.

Privacy Liability: This will cover the failure to prevent a hack, breach, attack, or unauthorized access to or acquisition of private information.  It also covers a failure of those an entity has entrusted with private information. Finally, this will cover an insured that does not give proper notification of a breach.  The covered costs may include liability and defense, third party trade secrets that are lost, notifying individuals of the attack, investigation expenses, and costs associated with public relation experts.

Media and Professional Liability:  This covers the liability and costs associated with an attack that results in online slander or libel, and misappropriation of one’s image, name or likeness.

Risks Typically Not Covered by Cyber Liability Policies

There are certain risks that are not usually covered by a cyber liability policy, including: (1) Damage to Reputation; (2) Remediation Costs; (3) IP Theft; and (4) Cyber Theft and Phishing.

Damage to Reputation:  These cyber policies do not cover damages to an entity’s reputation or reduction in value of a company’s brand.

Remediation Costs:  Also not covered by typical cyber policies are remediation costs, meaning costs associated with fixing a previously defective security system, improving the system, or making a flawed security system effective.  So, these policies will not cover improving the system beyond what existed before the cyber attack. Also not covered would be costs associated with law enforcement efforts or post-event system improvements.

IP Theft:  Cyber policies usually do not include coverage for the lost or decreased value of intellectual property, as the result of a breach.  There typically will also not be coverage for damages suffered as the result of an attack that occurs, which results in the IP being published.

Cyber Theft and Phishing:  Direct cyber theft of funds is usually covered by a standard crime insurance policy, so will not be covered by a cyber policy.  As discussed above, these standard crime policies will cover a hacker who is able to obtain funds or convince a financial institution that it is actually the insured and to transfer funds to the hacker.  Phishing is typically not covered by standard insurance policies or cyber insurance policies, as the access that is gained in a phishing situation is not technically “unauthorized”. In order to be covered for a phishing attack, an entity must obtain a phishing endorsement, which is special coverage for this kind of socially engineered attack.  These endorsements are not offered by all cyber insurance providers and may increase the premium costs significantly.

Beware of “Best Practices Exclusions”: Cyber insurance policies should NEVER include a “best practices exclusion”.  These exclusions typically indicate that the insured must maintain security and device encryption in line with the industry’s best practices.  If this exclusion were to be included in a policy, it would be very easy for an insurance company to deny coverage and claim that the insured simply failed to maintain industry best practices.