Organizations of all types and sizes and across all industry sectors face a seemingly endless stream of data breaches and other severe cybersecurity and data-privacy-related incidents. In addition, recent years have seen dramatically heightened regulatory scrutiny and remarkable proliferation and expansion of data privacy and protection laws, including the European General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), and the Illinois Biometric Information Privacy Act (BIPA), among others, as well as evolving, serious cybersecurity threats, such cyber extortion and ransomware. Indeed, ransomware has recently emerged as a significant threat to organizations. Coalition’s newly-released H1 2020 Cyber Insurance Claims Report finds that the average ransom demand amongst policyholders increased 100 percent from 2019 through the first quarter of 2020 and increased another 47 percent from Q1 to Q2 2020 during the beginning of the COVID-19 pandemic.
In the wake of an incident of any consequence, an organization faces myriad different forms of losses and liabilities. An organization may face class action litigation, shareholder litigation, and regulatory investigations, for example, together with the first-party costs associated with forensic investigations and crisis management costs related to the notification of persons whose information may have been compromised, credit monitoring, call center services, public relations expenses, and other event management activities. In addition, organizations may face substantial first-party losses associated with reputational injury and damage to the brand in the wake of a severe incident and substantial business income losses if an event disrupts normal day-to-day business operations. Ransomware incidents, for example, frequently entail very significant interruptions to ongoing daily business activities, and recovering can be time-consuming and challenging—even where backups are maintained and available.
Even if an organization’s systems are not compromised, the organization may suffer significant business losses if an incident affects a key vendor, cloud provider, or other key parties in the organization’s product and service supply chain. Also at stake are the organization’s digital assets, which in some cases may eclipse the value of the organization’s other property.
Cyber Insurance Basics
Against this backdrop, so-called “cyber” insurance can play a vital role in an organization’s overall strategy to address, mitigate, and maximize protection against the legal and other exposures flowing from data breaches and other serious cybersecurity, privacy, and data protection-related incidents.
Cyber insurance typically includes the following third-party coverages:
- Privacy liability—Generally covers third-party liability, including defense and judgments or settlements, arising from data breaches, such as the Target breach, and other failures to protect protected and confidential information
- Security liability—Generally covers third-party liability, including defense and judgments or settlements, arising from security threats to networks, e.g., inability to access the insured’s network because of a DDoS attack or transmission of malicious code to a third-party network
- Regulatory liability—Generally covers amounts payable in connection with administrative or regulatory investigations and proceedings, including regulatory fines and penalties
- PCI DSS-related liability—Generally covers amounts payable in connection with payment card industry demands for assessments, including contractual fines and penalties, for alleged non-compliance with PCI Data Security Standards
- Media liability—Generally covers third-party liability arising from infringement of copyright or other intellectual property rights and torts such as libel, slander, and defamation, which arise from media-related activities, e.g., broadcasting and advertising
Cyber insurance also typically covers the following types of first-party losses:
- Crisis management—Generally covers “crisis management” expenses that usually follow in the wake of a breach incident, e.g., breach notification
- Costs, credit monitoring, call center services, forensic investigations, and public relations efforts
- Network interruption—Generally covers the organization’s income loss associated with the interruption of its business caused by the failure of computer systems or networks
- Contingent network interruption—Generally covers the organization’s income loss associated with the interruption of its business caused by the failure of a third party’s computer systems or networks
- Digital assets—Generally cover the organization’s costs associated with replacing, recreating, restoring, and repairing damaged or destroyed computer programs, software, and electronic data
- Cyber extortion—Generally covers losses associated with cyber extortion, e.g., payment of an extortionist’s demand to prevent a cybersecurity or data privacy-related incident
Tips for Purchasing Cyber Insurance
Cyber insurance coverage can be extremely valuable but choosing the right insurance product presents significant challenges. A diverse and growing array of products is available in the marketplace, each with its own insurer-drafted terms and conditions that vary dramatically from insurer to insurer—and even between policies underwritten by the same insurer. In addition, the specific needs of different industry sectors and different organizations within those sectors are far-reaching and diverse.
Although placing coverage in this dynamic space presents a challenge, it comes with substantial opportunity. Cyber insurance policies are often highly negotiable. The terms of the insurers’ off-the-shelf policy forms may be significantly enhanced and customized to respond to the insured’s particular circumstances. Frequently, very significant enhancements can be achieved for no increase in premium.
Organizations purchasing cyber insurance are well-advised to take the following steps:
1. Adopt a Team Approach. Successful placement typically requires the involvement and input of risk management, in-house legal, IT, privacy, and compliance officials, a knowledgeable insurance broker, and experienced insurance coverage counsel.
2. Ask the Right Questions. It is important to carefully evaluate the coverage. For example, does the insurance policy cover:
- The acts, errors, and omissions of third parties, e.g., vendors, for which the organization may be liable?
- New and expanding privacy laws and regulations?
- The COVID-19 remote working environment?
- Confidential corporate data, e.g., third-party trade secrets?
- Wrongful or unauthorized collection of data?
- Rogue employees?
- Unencrypted devices?
- Business income loss, including unplanned outages?
- Contingent business income loss resulting from the failure of a third-party network?
- Data restoration costs?
- Ransomware attacks?
3. Beware the Fine Print. Like any other insurance policy, cybersecurity insurance policies contain exclusions that may significantly curtail and undermine the purpose of the coverage. Carefully consider all insurance terms and conditions.
Cyber insurance coverage can be extremely valuable. Before a claim arises, organizations are encouraged to negotiate and place the best practicable coverage proactively. A well-negotiated insurance program, together with solid business continuity planning and comprehensive, proactive cybersecurity policies and procedures, will position an organization to be resilient in the face of severe and escalating cyber and privacy-related incidents.