Cyber-related privacy and security risks continue to evolve like the hydra from Greek mythology. Once one threat has been addressed, two new threats seem to appear. Even the most well-prepared among us must remain vigilant in the war to maintain data security. And any business – no matter how large or small – needs a protocol for action when a cyber incident occurs.
Insurance coverage for cyber risks is a critical component of cyber risk management. Why? Simply put, the aftermath of a cyber incident may threaten the continued viability of your business because it can require substantial financial resources and time away from your core mission.
When a cyber incident occurs, a business must act quickly on several fronts, namely (1) taking the actions needed to keep the business running (“first-party” costs) – such as restoring access to your data through computer forensics or arranging for payment of a ransom – and (2) taking the actions required by law (“third-party” costs) – such as notifying your customers, suppliers, partners, or employees of a privacy breach and responding to any legal actions for damages. A cyber incident may require one or all of the following:
- A forensic investigation to find and fix the vulnerability that caused the data breach and determine whose personally identifiable information may have been compromised;
- Restoration of damaged computer systems, hardware, software, and data;
- Legal advice on privacy law requirements;
- Notification of third parties and other costs such as monitoring credit, setting up a call center for questions, and restoring stolen identities;
- Crisis management, including public relations assistance;
- Liability to third parties for damages caused by the breach;
- Fines and penalties imposed by government regulators;
- Fines and penalties imposed by credit card issuers and servicers;
- Loss of business income due to downtime caused by the cyber incident and extra expenses to mitigate downtime; and
- Losses from computer fraud.
A comprehensive cyber insurance policy will contain the key insuring agreements to protect against these potential liabilities and losses arising from a data breach.
Steps to Cyber Insurance Security
Step 1: Review your current coverage. Traditional insurance policies covering commercial general liability (CGL), crime, or business property may contain certain cyber coverages by endorsement. While some insurers have begun to integrate more cyber coverages into traditional policies, this piecemeal approach is typically inadequate. A comprehensive stand-alone cyber policy with sufficient limits is best. It is always worth asking what the additional premium would be to obtain the highest limit that is affordable and commensurate with your assessment of the risks.
Step 2: Mind the gaps. Even a “comprehensive” cyber policy can vary significantly from insurer to insurer. Therefore, review of your policies should include identifying any potential gaps in coverage. One of the first published cases interpreting a cyber policy illustrates this point. When hackers accessed 60,000 credit card numbers in P.F. Chang’s customer database, the restaurant chain’s cyber policy covered the $1.7 million in costs to determine the cause of the data breach and defend the company against customer lawsuits (PF Chang’s v. Federal Ins. Co., No. CV-15-01322 (D. Ariz. 2016)). Unfortunately, P.F. Chang’s cyber policy did not cover the nearly $2 million in expenses imposed by credit card issuers to pay for notifications to cardholders and reissuance of credit cards compromised by the breach. Policyholder coverage counsel can review the terms and conditions of your cyber coverage to identify any gaps.
Insurers are still grappling with some of the technical aspects of wording cyber coverage. For example, a company may discover that it can no longer utilize its computer systems or access its electronic information and simultaneously or thereafter receive a demand for a ransom in order to regain access. Yet the “cyber extortion” coverage in some policies requires a credible threat to interrupt, corrupt or destroy your computer system. A claims adjuster may unfairly attempt to interpret such policy language as requiring a threat from an attacker prior to the actual attack. Your insurance broker or agent can inquire about how your insurer interprets ambiguous wording.
Step 3: When a cyber incident occurs, notify your insurance carriers ASAP. All insurance policies include notification provisions that set out the requirements for notice. Notice is typically required immediately or “as soon as practicable.” Compliance is important to avoid a “late notice” defense and preserve your coverage. The policy’s “conditions” may include additional requirements for coverage, such as pre-approval of payment of a ransom. In addition, most cyber insurers have a team of experienced experts at the ready to help mitigate your losses and manage your response to the cyber incident. Some insurers require use of legal counsel and other vendors from a pre-approved list; however, many insurers will accommodate a different choice.
Ultimately, even the most advanced data security measures are not foolproof. The question is not whether a cyber incident will occur, but how your business will respond when it does. Cyber insurance is an indispensable quiver in your arsenal.