Jul 25, 2018

Cyber Insurance: Frequently Asked Questions

What is cyber insurance?

Cyber insurance is a type of insurance that can help protect a business in the event of a data breach, network security failure, or other cyber threat, and from risks relating to information technology infrastructure and activities.

Cyber insurance is a fairly new concept.  The first stand-alone cyber insurance policies appeared in the 1990s.  Cyber insurance policies have evolved over the years, and are still evolving.  The available coverage varies widely among different insurers.  There is no standard policy, with each carrier writing its own policy.

In general, there are several types of cyber insurance policies available to business entities.  These include, but are not limited to, cyber insurance policies with liability coverage, breach and event response coverage, regulatory coverage, extortion coverage, loss of income coverage, data replacement coverage, and deceptive fraud transfer coverage.

What is cyber risk?

Cyber risk is the risk of financial or reputational harm or damage to a business entity resulting from the failure or disruption of its information technology systems, including computer systems.The various types of cyber incidents that create cyber risk include the following:

  • Hacker attacks on computer systems resulting in a breach of confidential data.
  • Human error resulting in lost or stolen electronic devices containing confidential data.
  • Social engineering and spear phishing via emails ostensibly from a known or trustworthy sender targeted at employees to induce them to reveal confidential information.
  • Virus, malware, ransomware, or spyware.
  • Power surges or natural disasters.
  • IT system failure or accidental data damage.
  • Cyber extortion threats or attacks by a criminal coupled with a demand for money or other response in return for stopping or remediating the attack.
  • Denial of service attacks by multiple systems that flood a targeted system and prevent legitimate users from accessing services.
  • Malicious destruction of data or misuse of personal data.
  • Breach of privacy.
  • Defamation or slander, including the transmission of malicious content.

What type of data is covered by cyber insurance?

Cyber insurance policies typically address the following types of data:

  • Personally identifiable information (PII), including names, addresses, telephone numbers, social security numbers, account numbers, driver’s license numbers, passwords, and financial information.
  • Protected health information (PHI), including any individually identifiable health information and any part of a patient’s medical record.
  • Payment card information (PCI), including names, account numbers, expiration dates, verification numbers, security codes and other personal information held to process a payment card transaction.
  • Confidential and protected corporate information, including client information, intellectual property, trade secrets, or merger and acquisition information.

What type of coverage is available under cyber insurance policies?

Insurance companies offer first-party and third-party insurance policies for cyber losses.

First-party coverage insures for losses to the policyholder’s own data, lost income or other harm to the policyholder’s business resulting from a data breach, cyber-attack or ransomware attack.  First-party coverage applies to direct costs of the insured business for responding to a data breach or security failure.

Third-party coverage insures against liability to third parties (including customers and government entities) as a result of a data breach, cyber-attack or ransomware attack.  Third-party coverage applies when persons sue or make claims against the insured business, or governments or regulators demand information from the insured business.

What types of first-party coverage are available?

  • Business interruption and lost income – covers lost income and increased operating expenses when a cyber-incident damages an entity’s network or causes the loss of data that disrupts business continuity and operations.
  • Computer data loss and network restoration – covers physical damage to an entity’s computer system and the cost to retrieve and restore damaged or stolen data, hardware, and software.
  • Forensic investigation services – covers costs and expenses for technical, legal or other expert services to assess and stop a cyber-incident.
  • Notification costs – covers legal advice regarding laws and regulations governing breach remediation, including costs to notify all victims, including customers and employees, of a cyber-incident and possible identity or credit card theft.
  • Crisis management and public relations – covers customer support, call centers, credit monitoring, and other expenses to educate victims of a cyber-incident of the breach and the business entities’ response, as well as consulting fees to protect against public relations damages.
  • Extortion and ransomware – covers costs for the investigation of cyber-attacks and threats of attacks, as well as for payments to extortionists.
  • Electronic theft – covers a business entity’s money that is stolen as a result of network breach and fraudulent transfer of electronic funds.

What types of third-party coverage are available?

  • Litigation – covers costs to defend lawsuits, including class actions, involving allegations of a failure to prevent the unauthorized use / access of confidential information or of a failure of system security to prevent or mitigate a computer attack, the spread of a virus, or a denial of service, and the payment of judgments, settlements and damages arising out of such a cyber-incident.
  • Governmental and regulatory – covers costs to respond to or defend against governmental investigations or proceedings, as well as the payment of fines and penalties, relating to a cyber-incident.
  • Credit and fraud monitoring – covers costs for customer credit monitoring, identity theft protection services, and fraud monitoring following a cyber-incident.
  • Multimedia – covers costs related to claims of online defamation, copyright and trademark infringement.

What is excluded from coverage under cyber insurance?

Similar to other types of insurance policies, cyber insurance policies often exclude certain losses from coverage.  Typical exclusions include claims arising from war, breach of contract, theft of trade secrets, unfair trade practices, and employment practices.  Cyber insurance policies also typically exclude coverage for willful, intentional, deliberate, malicious, fraudulent, dishonest, or criminal acts or omissions of the insured.

Are cyber risks and losses already covered under traditional business insurance policies?

In the past, general liability, directors-and-officers, professional liability, or property insurance policies may have provided limited coverage for certain cyber risks, but there were often grey areas or gaps in coverage.  However, as cyber risks have evolved, these types of traditional insurance policies generally exclude coverage for cyber risks and losses.  Insurance companies often include exclusionary language in traditional liability policies stating that cyber risks are not covered.  Even business liability policies with general cyber coverage extensions usually are not comprehensive enough to fully address cyber risk in today’s environment.  Today, tailored cyber insurance policies are designed and offered to specifically cover and mitigate first-party and third-party cyber risks.

What types of business entities should have cyber insurance?

Any business entity that handles confidential client, customer or employee information, such as personally identifiable information, should have cyber insurance.  Likewise, any business entity using a company website, email or other internet capabilities, or a business that provides IT-related work, should have cyber insurance.

Are business entities required to carry cyber insurance coverage?

Currently, there is no law that requires a business entity to carry cyber liability insurance.  However, there is a clear trend to require proof of cyber insurance coverage in business contracts.  Also, commercial best practices indicate that business entities should have cyber insurance coverage, especially given the increasing number of cyber-attacks and data breaches.

Do business entities need cyber insurance if they use state-of-the-art protection, including antivirus software, data encryption or an IT department?

Having the latest technology, such as firewalls, encryption, security software or IT outsourcing, helps to reduce the risk of a breach, but this technology does not make an entity impermeable to cyber losses.  Sophisticated businesses with top-of-the-line anti-virus software and expert IT departments have experienced high-profile data breaches resulting in dramatic financial losses.  Additionally, cyber risks and losses can result from human error, such as a lost laptop or discarded documents that were not shredded.  Having appropriate cyber insurance coverage in place is another way to mitigate harm and damages, but such insurance is not a substitute for strong technology and human cybersecurity measures, such as ongoing training and security policies and protocols.  Cyber insurance sits alongside and complements other cybersecurity controls.

What should business entities do when a cyber-incident happens that might be covered by cyber insurance?

Business entities with cyber insurance should immediately notify their insurer and broker when a cyber-event occurs.  Special care should be taken to ensure that the notification is within the time frame specified in the cyber insurance policy.  Many insurance companies have a pre-approved panel of attorneys, consultants and vendors that insured businesses can consult and begin using following a breach.