The potential for cyberattacks and data breaches continues to loom large in any company’s calculus of risk, with events like the recent WannaCry attack only highlighting the threat. For years, the insurance industry has responded in kind by offering variations on forms of cyber risk insurance. However, not all policies are created equal. It is important for the insured to be aware of what is covered—and what is not.
At its most basic level, cyber risk insurance can be divided into first-party and third-party coverages. Most policies will contain some combination of these coverage types. Both of these coverages potentially contain pitfalls for the unwary.
First-party coverage. This concerns loss suffered by the insured, such as losses due to cyber theft and cyber extortion/ransomware. Insureds should look for policies that also cover losses due to network business interruption and include data loss protection as well as forensic investigation coverage (i.e., determining the cause of the loss). Paying for the cost of an intensive internal investigation of system vulnerabilities may be the most valuable benefit of first-party coverage.
Recent ransomware incidents highlight how crippling malicious code can be to your business. And if your business depends on its online links to customers, you will want to ensure broad coverage for “threats and extortion” within your cyber policy, including payment of ransom costs in an extortion scenario.
Common exclusions that the insured would do well to avoid are (1) exclusions for self-propagating code; (2) war and/or terrorism exclusions, which could prevent coverage if the attack came from some unknown foreign source; and (3) certain exclusions for failure to maintain minimum safety standards, which may be vaguely defined and difficult to maintain in practice.
Third-party coverage. This coverage concerns losses suffered by third parties for which the insured is liable, such as losses suffered for a breach in the insured’s network security (i.e., network security liability) and losses due to the insured’s failure to protect a third-party’s confidential information (i.e., privacy liability). An insured should consider whether its policy covers regulatory actions, and if so, whether coverage is only triggered by a “suit,” which would mean that the insured would not have coverage for the frequently expensive investigative stage of a governmental action. Some policies also cover costs associated with the after-effects of any network security or privacy breach, such as the cost of notifying third parties affected by the breach, costs of ongoing credit or identity monitoring of affected third parties, and costs of hiring a PR firm to protect the insured company’s image.
If a Cyber Threat Appears
If you become aware of any cyber threat whatsoever, it is imperative that you contact your insurance providers as soon as possible. If you have purchased stand-alone cyber insurance, for example, the insurer may have forensic experts lined up to assist in addressing any breach situation. Even if you do not have a stand-alone cyber policy, you should check your commercial liability insurance (including general liability, D&O or professional liability), media policies and/or kidnap and ransom coverage. Depending upon the facts, these other policies might be implicated by a cyber risk or claim.
Although the above provides a broad overview of cyber risk insurance, as with any type of insurance, the devil is in the details. Any purchase of insurance carries with it some degree of uncertainty, but this can be limited by having your potential policy closely reviewed by a specialist in the field. And should the day ultimately arise when a cyber loss occurs, having your policy assessed by an experienced insurance litigator could help make sure your company gets the best coverage result possible.