August 14, 2017 Practice Points

How Companies Can Make Sure Their Cyber Policies Provide Coverage for Data Breaches

Besides knowing the federal, state, and local laws and regulations, companies should thoroughly access their own cybersecurity risks through a risk assessment

by Lori L. Siwik

Companies should develop and maintain a risk management program for addressing their cybersecurity risks. Besides knowing the federal, state, and local laws and regulations, companies should thoroughly access their own cybersecurity risks through a risk assessment. The assessment should include:

  • Defining the system;
  • identifying and classifying critical cyber assets;
  • identifying and documenting the electronic security perimeters;
  • performing a vulnerability assessment;
  • assessing risks to system information and assets;
  • selecting security controls;
  • monitoring and assessing the effectiveness of controls using pre-defined metrics
  • developing and implementing effective cybersecurity policies;
  • determining employees’ level of understanding of cybersecurity and whether training is needed.

(Recently, the American Bar Association Cybersecurity Legal Task Force created a cybersecurity checklist.)

Companies that suffer a data breach incur significant costs including but not limited to, forensic investigation costs, breach notification costs, credit monitoring costs, crisis management costs, lost business, and legal/litigation costs. To protect themselves, companies can purchase a specialty insurance policy referred to as “cyber” insurance. Cyber insurance policies can provide coverage for first-party (cybercrime) coverage as well as third-party (cyber liability) coverage. They can provide coverage for direct loss and legal liability with resulting consequential loss caused by cyber security breaches. Cyber insurance policies are usually claims made and can be very expensive, although the costs have come down as more carriers have entered the market. Depending on the policy, there is an ability to insure notification costs, credit monitoring and other direct expenses covered if there is a data breach even if there is never a liability claim. Regulatory fines and penalties can be included or are endorsable. Some insurance carriers provide crisis management, a call center, and other services to the policyholder when cyber insurance s purchased.

A cyber insurance policy should provide coverage for the following first-party costs:

  • Legal and forensic services to determine whether a breach occurred and to assist with regulatory compliance if a breach is verified;
  • notification of affected customers and employees;
  • electronic information restoration;
  • customer credit monitoring and identity protection services;
  • crisis management and public relations to educate the company’s customers about the breach;
  • business interruption expenses, such as additional staff, rented or leased equipment, third-party services, and additional labor arising from a coverage claim;
  • ; public relations firm fees to restore reputation and mitigate damages;
  • regulatory fines;
  • cyber extortion reimbursement for perils including credible threats to introduce malicious code, pharm and phish customer systems, or corrupt, damage or destroy their computer system; and
  • systems failure and administrative error.

Similarly, a cyber policy should provide coverage for the following third-party costs:

  • Judgments, settlements or civil awards;
  • electronic media liability, including infringement of copyright, domain name, trade name, service mark or slogan;
  • PCI fines and assessments; and
  • potential employee privacy liability as well as network security and privacy liability.

Excellent resources include: See “Department: Technology: Risky Business: Why Lawyers Need to Understand Cyber Insurance for Their Clients”, Shawn Tuma and Katti Smith, 78 Tex. B.J. 854 (December 2015); and “Department: Law Practice Solutions: Everything You Need to Know about Cyber Liability Insurance But Never Knew to Ask”, JoAnn Hathaway, 95 MI B.J. 42 (December 2016).

Even companies that purchase cyber liability policies may end up in a coverage dispute with their insurance carriers. See Travelers Prop. Cas. Co. of Am. v. Fed. Recovery Servs., No. 2:14-CV-170 (D. Utah May 11, 2015) (complaint had to contain allegations of negligence to trigger duty to defend); Doctors Direct Ins., Inc. v. Bochenek; 38 N.E.3d 116 (Ill.Ct.App. 2015) (no coverage under cyber claims endorsement for TCPA or consumer protection claims); Columbia Cas. Co. v. Cottage Health Sys., No. 2:16-CV-3759 (C.D. Cal. July 17, 2015); and P. F. Chang’s China Bistro, Inc. v. Fed. Ins. Co., No., CV-15-01322-PHX-SMM (D. Ariz. 2016).

It is important for companies to carefully analyze their risks and make sure that the cyber policy that they purchase to cover those risks actually provides the coverage needed for the company’s risks. It is important that companies review the cyber policy wording carefully to make sure that it meets their business needs. Some policies are better written than others.

Lori L. Siwik is a founder of and the managing partner of SandRun Risk in Richfield, Ohio.


Copyright © 2017, American Bar Association. All rights reserved. This information or any portion thereof may not be copied or disseminated in any form or by any means or downloaded or stored in an electronic database or retrieval system without the express written consent of the American Bar Association. The views expressed in this article are those of the author(s) and do not necessarily reflect the positions or policies of the American Bar Association, the Section of Litigation, this committee, or the employer(s) of the author(s).