Many companies have turned to their insurance programs to protect themselves against cyber attacks; however, most traditional commercial general liability and property policies don’t provide any relief from data breaches. From about 2012 to 2014, litigation raged over whether general liability policies covered data breaches. However, the insurance industry added a broad data breach exclusion by endorsement that eliminates coverage for data breach or network or system failures on policies that contain the exclusion.
As a result, many companies have turned to “cyber insurance.” Fitch Ratings estimates that cyber insurance premiums in 2016 totaled in excess of $3 billion and are expected to be around $20 billion in written premium by 2020. The policies are considered to be reasonably priced, and with few exceptions they haven’t produced coverage litigation, at least not yet.
More than 60 insurers now offer cyber policies, but no standard policy form exists, and the marketplace is like the Wild West. The policies are highly complex and confusing, with dozens of definitions, exclusions and conditions.
A company must understand its cyber risks and its needs before it approaches the market to transfer those risks. Is it looking for first-dollar coverage or catastrophic coverage? Working with an experienced cyber insurance professional is absolutely essential, and there aren’t many of them.
Cyber policies principally provide insurance coverage for data breaches, the first-party and third-party legal responsibilities a company has post-breach, and the associated risks that can include governmental investigations, notification costs, business interruption and class actions.
One feature of cyber policies that has proven to be most useful is event response coverage, which coverage begins when the policyholder discovers the breach. The insurance company provides the policyholder with recommended attorneys — known as data breach coaches — and consultants to address the situation. It also provides coverage for those measures necessary to preserve the company’s brand up to the policy limit.
Exclusions are key
With the burgeoning growth of ransomware, cyber insurance also can afford cyber extortion coverage and business interruption coverage. This becomes incredibly important when businesses are not able to operate due to their network being locked down (extorted). The business interruption coverage (which does not come standard with all cyber policies) will pay the policyholder for the lost profits that it was not able to collect because its network was compromised. This can be very meaningful for companies who rely heavily on their computer and network.
It’s important to review the exclusions in a cyber policy. In view of the growing importance of the Internet of Things, companies should be aware that cyber policies typically preclude insurance coverage for property damage and bodily injury, although it may be possible to negotiate for limited coverage for such risks. However, traditional general liability policies that provide coverage for property damage and bodily injury may apply to such claims. Although general liability policies typically contain a “cyber exclusion,” such exclusions usually run to data breach, not physical or bodily injury.
The original focus of data breach was hacking, which remains a pre-eminent threat. However, in 2017, a company must also guard against phishing and cyber extortion, and be cognizant of dangers posed through the Internet of Things. Companies must employ a full panoply of resources to protect themselves, and one of these resources should be cyber insurance.
Is your current cyber liability insurance plan full of loopholes?Find out with a complimentary review of your program with Davis Dyer Max.