Cyber Risk Insurance Guide
With data breaches occurring on a weekly basis, cyber security has consistently ranked among the top risk concerns for executives over the past few years. And cyber criminals are only becoming more sophisticated with intrusions becoming more frequent. While there is no substitute for a strong cyber framework and security controls, cyber liability insurance often serves as an organizations last line of defense when all else fails. However cyber policies are often misunderstood.
What is Cyber Insurance?
Simply put, cyber risk insurance (also known as data breach insurance) provides protection for cyber risk and cyber related events. Data breaches and theft of personal information are simply one segment of cyber risk, there are many. Cyber policies provide 2 main coverage components. The first component is first party coverage, which is essentially balance sheet protection – the organization suffers financial damage such as lost income, an extortion demand, required notification costs (or credit monitoring costs), or network/data restoration costs, and the insurer reimburses the company for the damages sustained. The second coverage component is third party coverage, which provides defense costs (attorney’s fees), damages, and settlements for claims and lawsuits that result from errors and security failures (among other incidents). These damages can result from employee or privacy violations, transmission of a virus to another party or in the form of a regulatory action, to name a few. Cyber policies can either be purchased as a basic endorsement added onto a general liability policy, providing limited coverage, or they can be purchased as a stand-alone policy which provides significantly broader coverage. When purchasing a stand-alone policy, companies can select their coverages of interest in order to match their risk profile. Available insuring agreements include.
- NETWORK SECURITY & PRIVACY LIABILITY: This agreement provides coverage for defense costs, damages, and expenses arising from theft or improper disclosure of confidential information in your care, custody or control (or in the custody of a cloud provider). Contrary to what many companies think, that data is not limited to credit cards and social security numbers, it also includes employee information (such as tax forms), health information, and corporate confidential information such as intellectual property and financial data. The data also also does not always have to be in digital form and stolen by hackers, a privacy incident may arise from paper records being improperly disposed of. In fact, human error accounts for a large percentage of privacy incidents. Lastly, coverage can also be included for failing to disclose a breach and claims related to improper privacy policies or data collection practices.
- MEDIA LIABILITY: A form of coverage for advertising and publishing injury, this insurance provides defense costs and damages for claims asserting copyright infringement and negligent publication of media (among others) while publishing content online and via social media channels.
- ERRORS AND OMISSIONS (E&O): While not included in all cyber policies, some carriers include an E&O insurance component which provides coverage for financial damages sustained by third parties (such as clients and customers) when your services fail. Examples might include software and service failures or poor advice by IT consultants. It is however important to note that E&O coverage differs greatly. Well structured E&O policies should extend coverage to include claims resulting from breach of warranty, breach of contract and/or claims asserting failure to deliver.
- REGULATORY DEFENSE AND PENALTIES: This insuring agreement provides attorney’s fees and costs associated with formal regulatory or administrative investigations. It also provides coverage for any resulting fines or penalties. With regulators such as the FTC, SEC and OCR increasing cyber enforcement, regulatory defense coverage is increasingly important. Enforcement actions can result from any of the below. For more information on assessing the scope of regulatory coverage and term negotiation, please see our guide.
- Security failures such as failure to protect data (including employee information)
- Improper data collection practices
- Failure to disclose a breach
- Deceptive privacy practices
- EXTORTION / RANSOMWARE: Provides coverage for associated costs, lost income and extortion demands resulting from ransomware attacks that might hold a website, data or software “hostage”.
- DATA BREACH RESPONSE COSTS: The costs incurred with responding to a data breach can be significant. Some figures estimate between $100 and $200 per infected record. Data breach response coverage provides coverage for the costs of any required forensic investigation, identity restoration costs, notification costs and credit monitoring costs.
- CRISIS MANAGEMENT EXPENSES: Data breaches can inflict significant damage to a company’s reputation. Restoring consumer confidence can be difficult. As a form of reputation insurance, this agreement provides coverage for the organization to hire a PR firm in order to help rebuild the organization’s brand and reputation. It should be noted that lost income resulting from brand damage is however, never covered.
- BUSINESS INTERRUPTION & DATA RESTORATION: Data breaches, DDOS attacks, ransom attacks and system failures can often result in lost profits, especially if sustained for a prolonged period. These attacks can also result in the theft or corruption of critical data and network damage which may need to be restored. This insurance agreement provides coverage for the resulting lost income and costs to restore data and networks. Some insurers limit this coverage only to security incidents, while others will also provide coverage for lost income resulting from a system outage. Some will limit coverage only to attacks directly affecting your networks, while others will extend coverage to incidents that might affect a cloud provider or business service provider.
What type of claims are covered by Cyber Liability Insurance?
- Extortion and Ransomware attacks resulting in lost income, extortion demands and data and restoration costs
- Virus infections of computer systems that destroy or corrupt data and networks requiring restoration.
- DDOS attacks resulting in lost income and financial damages to clients that might not be able to access data or utilize services.
- Data breaches and/or clerical errors (such as loss of a laptop with protected data) resulting in notification costs, credit monitoring, identity restoration costs, potential regulatory investigation and penalties, and potential consumer or shareholder class action.
- Improper privacy policies and/or data collection practices resulting in regulatory investigation and penalties and potential consumer or shareholder class action.
- Transmission of a virus or malware to a client or vendor resulting in defense costs and damages sustained by the injured party.
How Do Cyber Policies Differ?
Network insurance contains too many variables to outline here. Some provide only third party coverage, where others include full first party coverage. Some contain numerous exclusions where others are more liberal. Exclusions also do not have be explicitly scheduled, often exclusionary language is contained deep within the definitions and conditions of the policy. Below are just a few examples of some of the coverage variables:
- PAPER FILES: All policies provide coverage for digitally stored data, however many companies also may utilize paper files as well, such as applications, tax forms, employee records, health records, etc. Some policies contain exclusions for losses arising from the theft or disclosure of paper records.
- ENCRYPTION: While data encryption is a wise recommendation, some companies may choose not to encrypt, or occasionally transmit or store data that is unencrypted. Some policies contain an encryption requirement, precluding coverage for any claims that arise from breaches that affect unencrypted data.
- SECURITY STANDARDS: Some cyber risk insurance policies contain a condition precedent to coverage, requiring that the organization employ a certain level of security measures. Failure to do so can nullify coverage.
- VIRUSES: Viruses can wreak havoc on a network resulting in lost income and significant restoration costs. Some coverage contains a specific exclusion for damage caused by viruses and/or any “self-propagating code”
- BODILY INJURY AND PROPERTY DAMAGES: Many cyber policies contain broad exclusions for any intrusions that result in bodily injury or property damage. These exclusions can be particularly problematic for the healthcare, technology and manufacturing sectors. If your company has any such exposure it is important to seek coverage with a carrier that provides coverage for any contingent BI/PD claims.
- VENDORS & OFFSITE COMPUTERS: Most companies rely on third party software in one form or another. Whether it be a cloud provider, SAAS software or compliance program. Security incidents that affect your business service provider or off site computer systems can result in claims against your company. Ranging from lost profits to privacy violations. It can also result in lost business income. Some carriers include within their definitions, coverage for breaches that affect service providers and offsite computer systems while others intentionally preclude such language.
- DATA: The definition of data is an important consideration. Especially for organizations that work more with corporate information. Some policies take an extremely narrow stance on defining data, simply as, drivers license information, dates of birth and social security information. Others contain more liberal definitions which include health information and corporate confidential information. Purchasing a policy with a narrow definition can significantly compromise coverage.
- FAILURE TO DISCLOSE A BREACH: Your employee lost a laptop with thousands of records on it, do you report it? With all of the breach notification laws differing state by state, and cross border laws posing an even greater challenge, knowing when a breach must be disclosed can be difficult. However, failing to do so can result in additional damages and regulatory enforcement. Some policies provide coverage for such claims, others do not.
- UNAUTHORIZED COLLECTION OF DATA: Most companies collect some degree of consumer data. But ensuring that your privacy policies and opt-in and opt-out practices are all accurate and transparent can be difficult. When data is collected improperly, claims can be close behind. Most policies contain some sort of exclusion for claims arising out of data collection practices, however a few insurers contain no such exclusion. Even when coverage is included terms can vary.
What other coverage Do I need?
- D&O INSURANCE: When cyber breaches result in consumer or shareholder class actions, a properly structured directors and officers insurance policy may be the best protection. Depending on the claims asserted, policy language, and specifics of the loss, a D&O policy may or may not extend coverage, however due to the wide range of coverage provided by D&O policies, it is generally a wise placement nonetheless.
- CRIME & SOCIAL ENGINEERING INSURANCE: An often overlooked component of a strong cyber program is crime coverage. Crime insurance (with a properly structured social engineering endorsement) is particularly critical for protection against social engineering attacks and funds transfer fraud which are increasing in frequency and severity.
Recent Trends Increasing Cyber Risk
- With larger organizations investing more resources into their cyber security frameworks, and smaller organizations lacking proper security, cyber attacks are trickling down to mid -sized and smaller companies with greater frequency.
- Ransom demands have historically been on the lower side, however these demands are expected to increase which will result in greater damages for companies affected by extortion attacks.
- In addition to attacks becoming more sophisticated, malware is becoming smarter and the underground cyber crime marketplace (dark-web) is growing with more available code and a greater number of users, which will result in an increase in data breaches.
- Regulatory agencies such as the SEC and FTC are increasing their oversight of cyber security, bringing a greater number of enforcement actions against companies that: fail to prevent against a breach, fail to disclose a breach, or improperly collect consumer information. They have also voiced interest in pursuing actions against smaller companies.
Who Needs Cyber Liability Insurance?
- Public companies including micro cap and nano cap companies and those trading OTC.
- Professional firms of all sizes - particularly professionals that work with public companies, including consultants, accountants and lawyers
- Companies subject to regulatory oversight such as financial institutions and government contractors
- Smaller & mid-sized businesses. It is estimated that 60-80% of breaches affected smaller the SME sector. In 2015 alone there were 781 breaches as reported by ITRC.
- Higher risk industries such retailers, financial firms, healthcare, technology companies, educational institutions, hotels and hospitality companies, manufacturers and professional service firms.
- IS CYBER RISK COVERED BY GENERAL LIABILITY INSURANCE? No, while there have been a select few cases where companies have been able to successfully assert data breach insurance under their general liability policies, the very short, simple answer is that CGL policies provide no such coverage.
- HOW MUCH DOES CYBER INSURANCE COST? Cyber insurance is not as expensive as many companies assume. It will depend on the limits and coverage chosen, type of data and number of records among other items, however simple endorsements can cost as little as $400 per year with broader stand-alone policies starting at $1,000 to $1,500 per year working their way over 10k depending on the risk profile.
- DO BREACHES AFFECT SMALL BUSINESSES? Yes, it is estimated that 50% to 70% of breaches affect the SME sector (small and mid-sized enterprises)
- WE USE A 3RD PARTY PROVIDER, DO WE NEED DATA BREACH INSURANCE? Yes, security and protection of your client’s data is still your responsibility. If and when a lawsuit occurs, multiple parties will be named. Cyber insurance has not advanced to the point of being able to add an “additional insured” to the policy, so, while it is best practice to ensure your cloud provider has their own insurance, it will not provide you any protection.
- WE DON'T STORE ANY PERSONAL INFORMATION, DO WE STILL NEED COVERAGE? Yes, as we have outlined above, breaches do not solely target PII (personal information) in fact health records are even more valuable. Cyber criminals have also been targeting corporate non-public information such as IP and financials.
- WILL THIS POLICY PROVIDE PROTECTION FOR THEFT OF OUR IP? No, first party coverage for theft of IP is never covered by network insurance. For more advice on protecting your IP, please see our recent article for BNA.
- IS THERE ANYTHING ELSE I SHOULD BE AWARE OF? While the above serves as a good overall guide - it's important to understand that cyber insurance policies are not standardized like other insurance. This means that they differ considerable in their coverage terms, definitions, exclusions, etc. For this reason it is important to partner with an insurance broker who is experienced with cyber risk insurance. GB&A is licensed in numerous states across the country including New York, California, and Texas (among others).