Cyber attacks present a growing risk to businesses and individuals — which is unlikely to abate. Traditional business insurance products are unlikely to cover losses from cyber attacks, and instead, businesses must turn to specialized cyber insurance products to protect themselves.
More than twenty carriers currently write cyber insurance policies — most offer multiple coverages, which must be carefully tailored to a company’s unique cyber risk profile. Companies at risk to financial losses from cyber attack should carefully consider whether these products can play a role in their plans for managing cyber risks. Different companies and different industries may vary widely in their needs, so the advice of a knowledgeable broker and counsel is invaluable.
With that caveat, cyber insurance policies typically include a variety of first-party and third-party coverage options. Two specialized first-party coverage options that require careful consideration are coverage for Event Management and Business Loss coverage. For third-party coverage, businesses should consider the degree to which defense costs will be covered and what type of third-party damages are included in coverage.
Event Management or Breach Remediation covers the direct expense of responding to a cyber security breach. The scope of coverage can vary among carriers, but covered expenses may include:
- Hiring an independent information security forensics firm
- Public relations
- Notification of affected parties
- Credit monitoring for individuals
- Identity theft resolution services
- Call centers
- Costs to re-secure, re-create and/or restore data or systems
- Legal services/advice
- Crisis management services
- E-extortion costs (hacker demands to restore data/access)
“Rather than asking whether a premium is standard for the market, prospective policyholders may be best served by seeking objective counsel to help assess the premium cost in light their own particular risk of loss.”
Most policies offer coverage for loss of business income due to a breach that results in an actual interruption or impairment of the insured’s business operations. The important distinction among the policies is the duration of such coverage. For example, one policy may cover loss of business income from the time the network interruption begins until some fixed period (for example, 120 days) after the interruption ends. Other policies cover loss of business income until business operations are back to normal or 60 days after the insured’s system is restored, whichever comes earlier.
Other First-Party Coverages
Other important first-party coverages typically offered in cyber insurance policies include:
- Denial of service costs to business
- Losses resulting from misappropriation of confidential information
- Damage to systems
- Loss of intellectual property
Cyber insurance policies usually offer some type of coverage for third-party claims based on a failure to protect confidential information. However, some also offer coverage for the insured’s failure to disclose a breach in accordance with privacy laws and in violation of privacy statutes. Given the proliferation of statutes and regulations governing data privacy, such coverage may be increasingly valuable. Some policies not only cover injury incurred by a third-party due to loss of use of its own system that was a result of the cyber attack on the insured, but also injury to the third-party caused by an inability to access the insured’s system. Not all policies include coverage for losses resulting from reputational injury, but many offer purchase of an additional coverage section to cover those types of losses.
Other important third-party coverages typically offered in cyber insurance policies include:
- Defense costs
- Libel, slander, defamation and other media torts
- Copyright, trademark and patent infringement
- Data and Personal Identifiable Information (PII) loss
- Fines and penalties
Given the variability in companies’ cyber risk profiles, the pricing spectrum for cyber insurance policies is broad and unpredictable. Even two similar companies in the retail industry could face significantly different pricing because of loss history and security and privacy controls. Rather than asking whether a premium is standard for the market, prospective policyholders may be best served by seeking objective counsel to help assess the premium cost in light their own particular risk of loss.