Companies that suffer a data breach incur significant costs including but not limited to, forensic investigation costs, breach notification costs, credit monitoring costs, crisis management costs, lost business, and legal/litigation costs. To protect themselves, companies can purchase a specialty insurance policy referred to as “cyber” insurance. Cyber insurance policies can provide coverage for first-party (cybercrime) coverage as well as third-party (cyber liability) coverage. They can provide coverage for direct loss and legal liability with resulting consequential loss caused by cyber security breaches. Cyber insurance policies are usually claims made and can be very expensive, although the costs have come down as more carriers have entered the market. Depending on the policy, there is an ability to insure notification costs, credit monitoring and other direct expenses covered if there is a data breach even if there is never a liability claim. Regulatory fines and penalties can be included or are endorsable. Some insurance carriers provide crisis management, a call center, and other services to the policyholder when cyber insurance s purchased.
A cyber insurance policy should provide coverage for the following first-party costs:
- Legal and forensic services to determine whether a breach occurred and to assist with regulatory compliance if a breach is verified;
- notification of affected customers and employees;
- electronic information restoration;
- customer credit monitoring and identity protection services;
- crisis management and public relations to educate the company’s customers about the breach;
- business interruption expenses, such as additional staff, rented or leased equipment, third-party services, and additional labor arising from a coverage claim;
- ; public relations firm fees to restore reputation and mitigate damages;
- regulatory fines;
- cyber extortion reimbursement for perils including credible threats to introduce malicious code, pharm and phish customer systems, or corrupt, damage or destroy their computer system; and
- systems failure and administrative error.
Similarly, a cyber policy should provide coverage for the following third-party costs:
- Judgments, settlements or civil awards;
- electronic media liability, including infringement of copyright, domain name, trade name, service mark or slogan;
- PCI fines and assessments; and
- potential employee privacy liability as well as network security and privacy liability.
Excellent resources include: See “Department: Technology: Risky Business: Why Lawyers Need to Understand Cyber Insurance for Their Clients”, Shawn Tuma and Katti Smith, 78 Tex. B.J. 854 (December 2015); and “Department: Law Practice Solutions: Everything You Need to Know about Cyber Liability Insurance But Never Knew to Ask”, JoAnn Hathaway, 95 MI B.J. 42 (December 2016).
Even companies that purchase cyber liability policies may end up in a coverage dispute with their insurance carriers. See Travelers Prop. Cas. Co. of Am. v. Fed. Recovery Servs., No. 2:14-CV-170 (D. Utah May 11, 2015) (complaint had to contain allegations of negligence to trigger duty to defend); Doctors Direct Ins., Inc. v. Bochenek; 38 N.E.3d 116 (Ill.Ct.App. 2015) (no coverage under cyber claims endorsement for TCPA or consumer protection claims); Columbia Cas. Co. v. Cottage Health Sys., No. 2:16-CV-3759 (C.D. Cal. July 17, 2015); and P. F. Chang’s China Bistro, Inc. v. Fed. Ins. Co., No., CV-15-01322-PHX-SMM (D. Ariz. 2016).
It is important for companies to carefully analyze their risks and make sure that the cyber policy that they purchase to cover those risks actually provides the coverage needed for the company’s risks. It is important that companies review the cyber policy wording carefully to make sure that it meets their business needs. Some policies are better written than others.
Lori L. Siwik is a founder of and the managing partner of SandRun Risk in Richfield, Ohio.