Cyber Security and Data Breaches:
Insurance Protections, Risks and Claims
Rose & deJong S.C.
March 20, 2018
Technology is becoming essential to every business and with that comes risks, as hacking, viruses, phishing, and other cyber attacks have become real problems for businesses in every industry. Many businesses rely on basic Commercial General Liability (CGL) coverage and Commercial Property coverage to protect them. It’s only after suffering a data breach or being the victim of fraud that they realize their coverage is insufficient. The following is a topic summary and base on cyber insurance coverage available, the types of damages each one covers and their limitations.
Depending on the type of breach or attack that occurs, certain insurance policies will cover such attacks and others will not. The key to feeling safe with your insurance coverage is to obtain a policy that covers many different types of cyber attacks.
Cyber Attack Coverage under Traditional Insurance
Traditional insurance policies will usually have more exclusions than cyber-specific insurance policies. Although not extensive or sufficient to fully protect an entity from an attack, there may be some cyber security coverage for the following traditional insurance policies: Commercial Property Insurance, Standard Crime Insurance, Director & Officer Insurance, and Commercial General Liability Insurance.
Commercial Property Insurance Coverage
Commercial Property Insurance Policies do not usually have much application to cyber security. This insurance usually covers damage to property and business interruption. If a natural disaster occurs, this type of coverage will usually cover damage to an entity’s material property, but does not cover loss of data, for example data stored on hardware. Also, business interruption coverage under a commercial property insurance policy will usually not cover a breach or cyber attack that shuts down a company for a period of time.
Standard Crime Insurance Policies
Crime policies usually do provide for some coverage for computer-related criminal activity that results in a loss. This may include funds transfer coverage and computer fraud coverage.
Funds Transfer Insurance: This type of coverage covers the loss of property, funds or securities suffered by an entity that came about due to a third party’s computer fraud. For example, if a hacker poses as an entity and instructs a financial institution to transfer money to the hacker, this would be covered by funds transfer insurance. Ordinarily, this type of coverage will not include liability for losses sustained as a result of “phishing”. Phishing occurs when a company or employee thereof is duped by a hacker and tricked into electronically transferring funds or information to the hacker. This would not strictly be an “unauthorized” transfer because the employee or entity did in fact authorize it, but was deceived as to who or where the transfer was going. To be covered for phishing attacks, one needs a special phishing endorsement, under its cyber liability policy.
Computer Fraud Insurance: This covers a traditional hack, whereby a third party hacks into a system and steals property, funds, or securities directly. This type of policy would also not cover a phishing attack, as described above.
Director and Officer Coverage
These policies typically cover employment practices, shareholder derivative actions against the board, reporting mistakes, and failure to comply with the law or regulations. These policies usually include exclusions for intellectual property claims, terrorism claims, and increasingly contain specific cyber liability exclusions.
Commercial General Liability Policies
This type of policy generally covers bodily injuries, damage to tangible property, and personal and advertising injuries. Personal and advertising injury covers costs that an insured is obligated to pay as a result of a slanderous or libelous written or oral publication directed towards a person or organization, or a person’s or organization’s products or services. There is an argument that when a cyber attack occurs, it should be covered by a CGL policy because the hack is essentially a “publication” because the hacker has taken the information and now possesses it, a misappropriation of privacy. This argument has not proven entirely successful in the courts, as CGL policies would generally only cover the insured if the insured was the one who published the information. So, even though one could make an argument that a CGL policy should cover a cyber attack, this is not advisable. Also, like other traditional insurance policies, many CGL policies now have explicit language that excludes coverage for all cyber liability.
Cyber specific insurance coverage is a type of standalone insurance that has really developed and expanded greatly over the past five years. The cyber insurance market is worldwide and ever expanding. These insurance policies vary greatly, as they are negotiable and tailored to each insured, depending on its individual needs and risks.
Covered First Party Risks
Covered first party risks include coverage for: (1) business income disruption or extra expenses; (2) lost data; (3) cyber extortion or Ransomware attacks; and (4) other costs associated with dealing with the event.
Business Income Disruption and Other Expenses: When a breach or attack occurs, this covers losses from business interruption, lost income, lost business opportunity and expenses in excess of normal operating costs, in order to repair the system.
Lost Data: This covers the expenses associated with recreating, restoring, and recollecting the data that was lost or stolen, in an attack. This insurance will cover the costs of repairing corrupted data and the costs spent on vendors to recreate unrecoverable data.
Cyber Extortion: In a Ransomware or cyber extortion attack, this covers the negotiations and payments of the ransom to get your data, information or system back. It will also cover the investigation and analysis of the event.
Costs to Manage the Event: In addition, these policies also cover the other costs associated with dealing with a breach, such as the costs of hiring public relations experts, credit monitoring, sending notifications, and giving sales discounts to keep your entity in good standing with its customers.
Covered Third Party Risks
Covered third party risks include coverage for: (1) defense costs associated with a privacy breach; (2) liability for the insured’s network security failure; (3) any failure to give proper notification of the breach, should such failure occur; and (4) liability for media and professional liability.
Privacy Breach Defense Costs: This covers the costs relating to penalties and fines administered by regulators, based on a privacy breach. It will cover the cost of regulatory investigations, liability and defense costs, preparation costs to testify before regulators, and any lawsuits by consumers or financial institutions.
Failed Network Security Liability: When a breach occurs, there has inevitably been a failure of the network’s security system. This will cover costs for liability and defense of lawsuits by consumers or financial institutions. This includes coverage even if the insured’s security system in place was inadequate or the insured failed to have proper policies and procedures in place relating to technology security.
Privacy Liability: This will cover the failure to prevent a hack, breach, attack, or unauthorized access to or acquisition of private information. It also covers a failure of those an entity has entrusted with private information. Finally, this will cover an insured that does not give proper notification of a breach. The covered costs may include liability and defense, third party trade secrets that are lost, notifying individuals of the attack, investigation expenses, and costs associated with public relation experts.
Media and Professional Liability: This covers the liability and costs associated with an attack that results in online slander or libel, and misappropriation of one’s image, name or likeness.
Risks Typically Not Covered by Cyber Liability Policies
There are certain risks that are not usually covered by a cyber liability policy, including: (1) Damage to Reputation; (2) Remediation Costs; (3) IP Theft; and (4) Cyber Theft and Phishing.
Damage to Reputation: These cyber policies do not cover damages to an entity’s reputation or reduction in value of a company’s brand.
Remediation Costs: Also not covered by typical cyber policies are remediation costs, meaning costs associated with fixing a previously defective security system, improving the system, or making a flawed security system effective. So, these policies will not cover improving the system beyond what existed before the cyber attack. Also not covered would be costs associated with law enforcement efforts or post-event system improvements.
IP Theft: Cyber policies usually do not include coverage for the lost or decreased value of intellectual property, as the result of a breach. There typically will also not be coverage for damages suffered as the result of an attack that occurs, which results in the IP being published.
Cyber Theft and Phishing: Direct cyber theft of funds is usually covered by a standard crime insurance policy, so will not be covered by a cyber policy. As discussed above, these standard crime policies will cover a hacker who is able to obtain funds or convince a financial institution that it is actually the insured and to transfer funds to the hacker. Phishing is typically not covered by standard insurance policies or cyber insurance policies, as the access that is gained in a phishing situation is not technically “unauthorized”. In order to be covered for a phishing attack, an entity must obtain a phishing endorsement, which is special coverage for this kind of socially engineered attack. These endorsements are not offered by all cyber insurance providers and may increase the premium costs significantly.
Beware of “Best Practices Exclusions”: Cyber insurance policies should NEVER include a “best practices exclusion”. These exclusions typically indicate that the insured must maintain security and device encryption in line with the industry’s best practices. If this exclusion were to be included in a policy, it would be very easy for an insurance company to deny coverage and claim that the insured simply failed to maintain industry best practices.