Cyber Risk & Data Breach Insurance

It’s difficult to address organizational risk without discussing cyber insurance. Cyber risk continues to rank as the c-suite’s top concern. As cyber risks continue to evolve, so do the cyber security controls and insurers’ policy forms.

Cyber insurance (also known as data breach insurance) provides protection for cyber risk and cyber related events. Data breaches and theft or disclosure of protected personal or corporate information are simply one type of cyber risk, however there are many. The most common threats today are ransomware attacks and social engineering crimes resulting in fraudulent transfers. Coverage can generally be broken down into two segments; first party coverage, for damages such as lost business income, ransom payments and lost funds resulting from a social engineering scheme, and 3rd party coverage, which would provide coverage for defense/vendor costs, notification requirements, fines, etc. Cyber policies have also evolved greatly from where they began years ago. Today’s modern policies can now provide coverage for a much wider range of claims, such as attacks utility fraud, crypto jacking, litigation involving failure to adhere to privacy policies, claims involving pixel tracking and even deep fakes using artificial intelligence. One of the biggest benefits of cyber insurance policies however, is the response they provide – attacks can be disorienting, creating considerable confusion and urgency. Cyber policies provide a team of panel experts who are immediately accessible and ready to respond.

INSURING AGREEMENTS: THE BASICS
 

Network Security and Privacy Liability: Almost all businesses transmit, store, or process some form of protected data, whether they realize it or not. In addition to employee data and corporate confidential information, today’s regulations such as CCPA and GDPR maintain very broad definitions of protected information that can range from names and dates of birth to biometric data, to IP addresses. When that data is stolen, accessed or improperly disclosed, this insuring agreement provides coverage for any resulting investigation costs, defense costs, damages, and expenses that arise. It’s important to stress, not all privacy violations stem from data breaches. Employee errors such as lost laptops and/or erroneously emailing a database of protected information would also qualify as an incident. Additionally, many cyber policies can also provide coverage for failing to disclose an incident as well as violations of privacy policies and claims related to improper data collection practices as well.

Media Liability: A form of coverage for advertising and publishing injury, this agreement provides defense costs and damages for claims asserting wrongful acts such as plagiarism, trademark violations and improper deep linking (among others), while publishing content online and via social media channels. Given the proliferation of AI produced content and concerns over plagiarism and copyright violations, some carriers have however begun to implement exclusions precluding coverage for any media generated by artificial systems.

Errors and Omissions (E&O): While not included in all cyber policies, some carriers include an E&O insurance component which provides coverage for financial damages sustained by third parties such as clients and customers, when your services fail. Examples might include software failures, errors in providing media and advertising services, and poor work performed by web designers or IT consultants. It is however important to note that E&O coverage differs greatly. Well structured E&O policies should extend coverage to include claims resulting from breach of warranty, breach of contract and/or claims asserting failure to deliver.

Regulatory Defense and Penalties: This insuring agreement provides coverage for attorney’s fees and costs associated with formal regulatory or administrative investigations. Stronger policies also provide affirmative coverage for any resulting fines or penalties stemming from privacy violations such as those imposed by HIPAA, CCPA and GDPR. These violations and resulting fines can stem from security failures, to improper data collection practices, to deceptive privacy practices, and more. For more information on assessing the regulatory coverage insuring agreement, please see our previously published guide.

Extortion & Ransomware: Provides coverage for extortion demands resulting from ransomware attacks that might hold an organization’s network, website, data or software “hostage”.

Data Breach Response Costs: Data breach response coverage provides coverage for the costs involved with performing a required forensic investigation, and any costs involved with notifying affected parties and providing any required identity restoration and/or credit monitoring.

PCI Coverage: An important coverage for any business accepting credit card payments, PCI insurance provides coverage for fines and penalties arising from violations of PCI DSS requirements such as failing to protect cardholder data or implement proper security controls (firewalls, encrypted transmissions, etc)

Crisis Management Expenses: Data breaches can inflict significant damage to a company’s reputation. Restoring consumer confidence can be difficult. As a form of reputation insurance, this agreement provides coverage for the organization to hire a PR firm in order to help rebuild the organization’s brand and reputation following a security incident.

Business Interruption and Data Restoration: Business Interruption (lost income) caused by cyber incidents such as ransomware attacks, is often one of the most significant damages incurred by affected organizations. Lost income is also just one component of financial damages incurred – there are also considerable extra expenses incurred such as payroll and overtime costs, travel costs, temporary relocation costs, and cost incurred with repairing or restoring any corrupted data or damaged networks. This insurance agreement provides coverage for the aforementioned damages. It should be noted, the scope of business interruption coverage can vary greatly from policy to policy. Some policies may limit this coverage only to security incidents, while others will also provide coverage for lost income resulting from a system outage. Additionally, some insurers may limit coverage only to attacks directly affecting the organization’s own networks, while others will extend coverage to incidents that might affect a cloud provider or business service provider.

E-Crime Coverage: E-Crimes come in many shapes and sizes: Computer Fraud (resulting in direct theft of funds), Funds Transfer Fraud (fraudulent instructions sent to a bank), Social Engineering (being duped into making a fraudulent transfer), and Invoice Manipulation (duping an organizations’ customers to make a fraudulent payment). With e-crimes being a leading source of losses for organizations, it’s absolutely critical to ensure all forms of e-crimes are covered, and perform a careful policy review to ensure policy terms are in order.

CYBER RISK TRENDS
 

Increasing Data-Breach Litigation: The number of lawsuits (including class action lawsuits) being brought against companies, following privacy incidents, has been steadily increasing. A recent report by IAPP indicates the number of annual cases filed has almost doubled since 2020. This is likely being driven by more effective strategies by plaintiff’s firms improving their pleadings, stricter data protection laws, and courts becoming more willing to hear privacy cases.

Artificial Intelligence Risks: Cyber risk has evolved tremendously over the past few years. One of the most recent developments is the use of artificial intelligence by malicious actors, to spoof high level executives into making fraudulent transfers. Artificial intelligence has also resulted in increased media liability, as organizations use AI for artificial generated content, which can result in copyright and trademark claims. As a result of this increased exposure, insurers have had mixed responses. Some carriers are adding explicit endorsements affirming coverage for such AI spoofing claims, whereas others are remaining silent. Additionally, some carriers are beginning to add specific AI exclusions to their media liability insuring clause, precluding coverage for AI generated media.

Influencers and Social Media: In the context of media liability, the usage of social media and influencers is also creating heightened exposure to claims involving libel, slander and copyright/trademark claims, whose damages may be covered (or partially covered) by the media agreement within a cyber policy. Malicious actors are also knowingly leveraging social media to assist with their attacks. Such platforms may be used to gather information, build trust, or as a weak entry point to gain other credentials. Again, carriers remain mixed with their responses, with some insurers attaching explicit exclusions (particularly to their media liability coverage portion), with others including endorsements confirming coverage for media posted on social platforms.  

Biometric Claims: The protection of biometric data (such as fingerprints, and facial recognition) has become of particular importance since Illinois’ passage of BIPA (biometric information privacy act), with Texas and Washington passing similar statutes. Organizations that possess any biometric data such as user’s facial recognitions, or employees’ fingerprints need to be aware of the potential damages involved with failing to protect such data – accordingly the c-suite should perform careful cyber policy reviews, as coverage for such violations may be precluded.

Pixel Tracking: Pixel tracking claims have ballooned over the past few years. Driven by a handful of plaintiffs and plaintiff firms. These claims allege an organization’s use of “pixel tracking” (collecting small bits of user data) is in violation of wiretapping laws. In some cases, organizations may not even be aware that such data is being collected, as plugins may have been installed by hired marketing companies. Policyholders should check their policies, as pixel tracking exclusions are becoming increasingly more common.

Insider Threats: Insider threats appear to be increasing, driven by; outsourcing, continued remote work arrangements, and usage of outside contractors.

REVIEWING POLICY TERMS
 

Cyber insurance policies are extremely complex, fast moving, non-standardized and difficult to understand. To demonstrate their complexity, when drafting our cyber checklist, we have a count on upwards of 40 exclusions, so outlining all of the important terms, endorsements and exclusions is extremely difficult (if even possible) but below are some good basic recommendations:

Ensure Basic Terms Are In Order: Most policies today have evolved to comply with the below coverage recommendations, however given their importance, it should never be assumed that such terms are already included.

• Definition of Data: The definition of data is an important consideration. Especially for organizations that work more with corporate information which may be further be protected by corporate confidentiality agreements. Some policies take an extremely narrow stance on defining data, simply as, drivers license information, dates of birth and social security information. Others contain more liberal definitions which include health information and corporate confidential information, and any protected information as defined by CCPA/GDPR or similar statutes. Purchasing a policy with a narrow definition can significantly compromise coverage. All policies provide coverage for digitally stored data, however many companies also may utilize paper files as well, such as applications, tax forms, employee records, health records, etc. Some policies contain exclusions for losses arising from the theft or disclosure of paper records.
• Definition of Computers and Systems: Most companies rely on third party software in one form or another. Whether it be a cloud provider, SAAS software or compliance program. Security incidents that affect your business service provider or off site computer systems can result in claims against your company. Ranging from lost profits to privacy violations. It can also result in lost business income. Some carriers include within their definitions, coverage for breaches that affect service providers and offsite computer systems while others intentionally preclude such language.
• Are there Encryption Requirements: While data encryption is a wise recommendation, some companies may choose not to encrypt, or occasionally transmit or store data that is unencrypted. Some policies contain an encryption requirement, precluding coverage for any claims that arise from breaches that affect unencrypted data. As a side note, most cyber insurers will require encryption today and insured’s will likely need to confirm such controls are in place when applying for coverage.
• Are there minimum security standards: Some cyber risk insurance policies contain a condition precedent to coverage, requiring that the organization employ a certain level of security measures. Failure to do so can nullify coverage. Such requirements should be avoided when able.

Secure Coverage Enhancements: Many carriers today will include a number of coverage enhancements. Among those included are coverage for:

• Crypto Jacking and Utility Fraud Coverage: Coverage for attacks where malicious actors takeover computer systems solely for the purposes of mining crypto currencies, causing computer systems to run at maximum capacity, resulting in slowdowns and increased utility costs. 
• Bricking Coverage: Covers the costs to replace any hardware that may be rendered inoperable.
• Voluntary Shutdowns: Triggers coverage for business income damages for voluntary shut downs of any systems in order to prevent an attack or mitigate damages. 
• CCPA and GDPR Endorsements: Broadens the definition of protected information to comply with regulations such as CCPA and GDPR
• Affirmed BIPA Coverage: An endorsement providing (often sub-limited) coverage for BIPA claims.
• Blanket Additional Insured Endorsements: Vendors and business partners are more commonly requesting to be named additional insured on cyber policies. This endorsement provides affirmative coverage on a blanket basis, where contracts contain such requirements.

Avoid Problematic Exclusions: As mentioned above, cyber policies collectively contain upwards of 40 exclusions. While some of them are standard, others can be very problematic.

• Broad Contractual Exclusions: Most policies will contain some form of a contractual exclusion, however in the context of cyber insurance, it’s important to ensure proper carvebacks are obtained, such as carvebacks for PCI claims, confidentialty agreements and unintentional violations of privacy policies (among others).
• Overly broad war exclusions: Cyber policies often contain wat exclusions, however some are broader than others and could be problematic in the event of a breach. Lloyds of London notably amended their policy language late in 2023 with extremely broad language. Many cyber experts are concerned overly broad exclusions could preclude coverage for certain breaches, such as; situations where servers or networks are located in countries engaged in current conflicts, or those in which hackers claim a political motive or claim to be sponsored by a state sponsored group.
• Widespread event exclusions: Carriers are increasingly beginning to attach widespread event exclusions or heavy sub-limits, which exclude or limit coverage in attacks where multiple parties are affected by a single attack or vulnerability. Each policy is also different in how they define “widespread event” with the most aggressive exclusions only requiring another outside system to be affected. These exclusions should be avoided when able, as such attacks are becoming more commonplace.
• Unsupported (end of life) software: Exclusions precluding coverage for incidents that affect unsupported (outdated) software.
• AI exclusions: Artificial intelligence exclusions are not yet commonplace, however they are beginning to emerge and can pose serious coverage issues, as discussed here. The biggest concern is; the exclusions of coverage for spoofing attacks which use AI to trick corporate officers into fraudulent wire transfers. Another concern however, is; many organizations may be using AI within their cyber security environment, should that AI fail to detect or respond to a threat, or should an organization be affected by an AI launched attack, such an exclusion could nullify coverage.

Ensure Vendors are Approved: Cyber insurers will not consent to incur any costs until a claim has been tendered, and require that the insured utilize counsel and vendors approved by the insurer. In order to ensure costs incurred at the early stage of an investigation are in fact covered by the policy, it’s critical that the organization ensure its breach response plan aligns with its cyber policy’s terms. Any preferred counsel and forensic/IT vendors must be approved or added to the policy’s panel list.

Assess the Policy’s Business Interruption and Extra Expense Limit: As business income damages continue to increase, some insurers have now begun to apply lower sub-limits to their policy’s business interruption coverage. As a result, policyholders should perform an extremely careful assessment of both the policy’s terms and any limits. It’s also equally critical to discuss the carrier’s claim reputation with any insurance broker or counsel, as some carriers have more of a reputation for disputing certain business income related expenses.

Implement “Ancillary” Coverages: One of the most important “ancillary coverages” is D&O insurance, which provides protection against claims brought by shareholders, vendors, regulators, customers, and creditors following a cyber incident. Organizations should also consider crime insurance. While crime insurance provides for many non-cyber losses, such as employee fraud and theft of money on/off premises, in some cases, securing a crime policy alongside a cyber policy can help an organization achieve greater limits pertaining to e-crimes such as fraudulent transfers and social engineering losses.

FAQ
 

How Much Coverage Do I need? This is a difficult question to answer. As an example, a ransomware attack can take upwards of a month to recover from, so in setting an appropriate ransomware limit, an organization would need to anticipate what a ransom demand might look like (given demands against similar sized peers), what the resulting lost income and extra expenses could total, and factor in the additional costs such as forensics and data restoration. In terms of calculating an appropriate e-crime limit, policyholders should consider the average and maximum value of any given transfer to help develop a baseline limit. . There are a few breach calculators online that may be helpful published by Chubb, At-Bay, and Alexio (for healthcare institutions).

How Much Does it Cost? Simple cyber endorsements for small and mid-sized companies can cost as little as $1,000 per year with broader stand-alone policies at $2,500 to $5,000 per year for a 1 Mill limit. Larger companies and those with greater risk profiles such as healthcare institutions may see premiums upwards of 20k per Mill.

Do Breaches Affect Small Businesses? Yes, it is estimated that 50% to 70% of breaches affect the SME sector (small and mid-sized enterprises)

We Don’t Store any Info, Do We Still Need Insurance? Yes, as we have outlined above, protected information is defined extremely broadly today and most companies process/store/transmit some form of protected data whether that be employee data or user/client data. Breaches also do not solely target networks or protected information, in fact, e-crimes such as social engineering and invoice manipulation are among the leading causes of loss.

What Security Controls Do I Need to Have Implemented: When applying for coverage, most carriers will require the basics from even smaller companies including; fully encrypted data/emails, multi-factor authentication protections enabled, appropriate data backup controls, malware detection and possibly EDR (end point detection). Larger companies and those with a greater risk profile will of course encounter stricter requirements such as intrusion detection/prevention systems and data loss prevention systems.

Will This Policy Provide Protection For Theft of Our IP? No, first party coverage for theft of IP is never covered by network insurance. For more advice on protecting your IP, please see our recent article for BNA.