Understanding Cyber-Risk Insurance
Getting insurance coverage for cyber exposures at a fair premium is more complicated than buying fire insurance. You need to know what your actual IT risks are and understand what coverage you need.
Any business needs two classes of coverage. First-party liability coverage for risks it cannot fix but cannot be ignored, and third-party liability coverage for damages it might cause to third parties.
Primary Liability Coverages
First-party liability coverage is to cover costs incurred from a break-in to your systems. The essential elements are:
Theft and fraud coverage for some of the costs of a theft or destruction of your data or theft of company funds.
Network and business interruption coverage is an important part of cyber coverage. The carrier may impose limitations, but you should not allow specifying that the intrusion must be caused by an intentional cyber-attack. Intentional is hard to prove. Reasonable conditions may include a time limit on when the coverage begins and the total length of outage the insurance will cover. You can negotiate these limitations if you understand the business exposures including contingent business expenses you probably will not be able to quantify in advance.
Extortion is coverage for the cost of a ransom you may have to pay to get your systems back online. Ransomware tracking shows these demands are on the rise.
Data loss and retention covers the cost of restoring data that may have been lost and possibly the cost of diagnosing the cause of the loss. It may be expensive because it is typically subject to substantial retentions. You should ensure this coverage is not limited in terms of the cause of the loss. It will be important for you to be able to prove you have done the necessary measures to remediate, within your capability, any potential exposures revealed by your assessment so the insurer is comfortable with not including a cause-of-loss limitation.
Third-party liability coverage is to cover claims by third parties whose data within your possession has been hacked into or otherwise compromised.
Privacy coverage is to address claims by your customers, clients, and employees for breaches of their confidential information. This coverage should include any failure to protect the data, not specifying that the breach be intentional. You should also ask for coverage for any failure to report the breach under applicable reporting requirements, or failure to disclose a breach under applicable privacy laws.
Regulatory actions coverage should include defense costs for any government or civil investigations or requests for information, beginning at the start of the investigation, whether the investigation is instigated by a formal complaint or suit. You also will need coverage for civil fines and penalties.
Notification costs include the cost of notifying third parties who may have been affected by your data breach. You should be prepared to tell the insurer the number of people to be notified and the method and cost of notification. Make sure this data is in the policy along with a provision allowing you to update this on a regular basis. Given the constantly changing landscape of individual state notification laws, keep track of the state requirements that may apply to your customer.
Crisis management covers the public relations costs of defending or repairing your reputation. These costs may be difficult to quantify. Reputational restoration can be one of the most important aspects of your post-breach efforts.
Call-center costs may be one of the most significant expenses. It is important to have coverage for these costs included, along with the number of people eligible to receive call-center services, the specific call-center services to be provided, and the call center’s hours.
Credit/identity monitoring coverage is included in most policies but may be limited by the individuals who can receive the services and the list of approved vendors.
Transmission of viruses and malicious code covers liability claims for damages from the transmission of viruses, malicious code or data from your system to another system. It is important to know if your system is capable of this kind of transmission, you do not want to pay for unneeded coverage. If not, you can omit it.
Other Points To Shop
Type of policy. Policies are generally divided into two categories: “claims made” and “occurrence.” A claims made policy is triggered when a claim is made against you during the policy period, regardless of when the act that caused the claim took place. Occurrence policies cover claims that arise out of damage or injury that took place during the policy period, regardless of when the claims are made. Most commercial general liability insurance is occurrence.
Trigger. Cyber policies are typically triggered by an event that results in the loss of data during the policy period. Claims-made policies typically are more restrictive on what events can trigger coverage, and the timing of resulting claims in relation to the loss may limit or preclude available coverage. You may find the occurrence policies preferable even though they generally cost more.
Defense obligations. In some policies, the defense obligation is triggered only by a suit, which requires a lawsuit or written demand against the insured. This may preclude defense of a claim that has not become a lawsuit or written demand. Yet, this is where much of the defense cost on a matter may be spent. Argue for less restrictive defense language so there are no limitations as to coverage for governmental actions including investigations.
Choosing defense counsel. In some policies, defense costs are covered only if you choose from the insurer’s list of law firms. If you choose a different firm, defense costs probably will not be covered.
Given the substantial costs likely to be associated with a significant data breach you should have real input in the choice of counsel. You should ask for a policy with a balanced choice of counsel language - you and the insurer agree on defense counsel and if you cannot agree, you will choose counsel for which the insurer will pay up to a set hourly rate.
Retroactive coverage. Policies often have a retroactive date where losses from events before the retroactive date will not be covered. Insurers often what the retroactive date to be initial date of coverage. Given that exposures unknown to you may have occurred some time ago, negotiate a retroactive date as far back as you can reasonably determine your exposures may have arisen.
Vendor liability. Acts of third parties may not be covered expressly, or may be excluded, under some policies. For instance, if you use a third-party vendor to maintain your confidential customer or employee information in the Cloud, and the vendor has a data breach, you could be sued by your customers or employees. Whether you have coverage will depend on the policy language. Some policies have coverage for breaches of data maintained by third parties if is a written agreement between you and the vendor to provide the services.
If you use a third party to maintain any of your confidential information, consider getting a policy that expressly covers breaches of data maintained by the third party.
Your contract with your cloud provider should have indemnification language with a provision that the provider will maintain verifiable cyber-risk insurance. Self-insured retention language in your coverage should say that any payments made by the third party indemnifying the company for loss sustained by the breach count toward satisfaction of the retention.
Loss of unencrypted data. Coverage for data lost from unencrypted devices is often excluded. If you must live with this limitation, make sure you have an enforceable policy that all personal information or sensitive firm information, in any format, is encrypted on individual devices. It would be better to prohibit personal information and sensitive firm information from personal devices, period.
Identity of covered entity. Many policies define covered persons to include only natural persons. Your policy should accurately define the entity or entities who may be affected. This would also be the place to include any other entities who should be listed as additional insureds.
Policy territory outside the United States. Even if you do not operate outside the United States, your employees may lose their laptops, PDAs, and other electronic devices containing confidential information, or have them stolen, while traveling abroad. Many policies attempt to restrict the coverage territory to the United States and its territories. Make sure your policy provides coverage for losses or thefts of confidential information that occur outside the United States.
Breaches unrelated to electronic records. Some policies restrict coverage to loss or theft of electronic data. Given that many breaches occur as a result of loss or theft of paper or other nonelectronic records, your policy should cover both electronic and other forms of records.
Location of security failure. Some insurers attempt to limit coverage to physical theft of data from company premises. This limitation would deny coverage from claims arising from laptop, PDA, or thumb drive thefts. Other policies limit coverage for data breaches resulting from password theft to situations where the theft occurs by nonelectronic means. You should not to permit these limitations.
Exclusions for generalized acts or omissions. Some insurers want to exclude coverage for losses from: (1) shortcomings in security which you were aware of before the inception of coverage; (2) your failure to take reasonable steps to design, maintain, and upgrade security; and (3) certain failures of security software. If you do a thorough risk assessment and act on the remediation recommendations in the assessment, you should be able to show these kinds of exclusions should not be included.
Exclusions for acts of terrorism or war. Many policies include this exclusion, which would seem to apply to an attack by a foreign nation, a lot of which is happening. If you cannot get the insurer to leave this exclusion out, consider purchasing alternative coverage that would address it.