Insuring Companies from Cyber Risk and Liability

Recently, privacy, data breaches, and cyber security issues have taken center stage in the media.  In the event of a data breach, a company faces a multitude of expenses both internally and externally including but not limited to investigation, business loss, and remediation.  Companies are responding to the risk of data breach events, in part, by seeking insurance coverage.  Insurance carriers are accommodating this need by selling policies to protect companies in the event of a breach.

Generally, coverage for cyber risk and liability is divided into two classes: First-Party coverage and Third-Party coverage. First-party coverage applies to protect the insured from the costs to its business in the case of a breach. Examples of such costs include expenses like business loss/interruption and replacing/repairing equipment that may have been damaged or affected during the breach.

Third-party coverage applies to the costs an insured may have to pay to third parties or due to injuries of third-parties. Examples of such coverage include judgments as a result of a lawsuit and other expenses a company would have to pay to a third-party, expenses associated with notification of a breach to affected persons and credit monitoring.  Also, third-party coverage can insure expenses in responding to government regulators after a breach for purposes of investigation into the breach or penalties/fines as a result hereof.  Investigation into the cause of a data breach is often times costly and time-consuming.

There is not a “one-size-fits-all” policy with respect to insuring cyber liability.  Instead, policies can be tailored to the needs of the company seeking coverage.  By way of example, coverage and premiums can vary based on the following:

• The industry in which a company operates;
• The geographical area in which the company operates (local, national, international);
• The size of the company;
• Coverage for actions of third party vendors storing/accessing a company’s information;
• Effective date of the policy (retroactive v. date policy purchased);
• Remediation coverage; and
• Business loss.

The above-bulleted list is not comprehensive but highlights some differences between policies.  Not every carrier will have the same types or level of coverage available.  Furthermore, policies insuring from cyber liability can include clauses that exclude certain events from coverage.

For a company, the decision to purchase cyber liability insurance is not always an easy one.  A company is well-advised to evaluate its risk, exposure, and needs to ensure it purchases the correct level and type of coverage.  Often times, policies have room for negotiation with respect to coverage and price.  Costs can vary between carriers, even for similar levels of coverage.  A company should also be informed on the specific requirements that are sometimes included in a policy.  For example, certain policies may require that a company engage in preventative measures to ensure that its costumer’s data is safely stored.  The issue with some policies, however, is that it will include language like “due care” which is difficult to define.  A company that fails to adhere to the requirements of policy may be denied coverage in the event of a data breach.  When purchasing a policy, a company should also be aware of not only the total limits of the policy, but of any sub-limits.  Specifically, a policy may limit the amount of coverage for investigation, notification, and remediation portions of a breach event that may be smaller than the overall coverage limit.

Cyber liability insurance policies will continue to evolve due to the dynamic nature of cyber security.  Companies are well advised to continuously monitor the risks, exposure, and needs to ensure that they have adequate protection in the event of breach.