The Key Coverages of a Cyber Insurance Policy

The Key Coverages of a Cyber Insurance Policy | CyberDot | Cyber Insurance

Insurance is one of the many, essential expenses that your business incurs. With the ever-increasing amount of data breaches per year and many of them high profile, highly publicized data security scandals (Equifax, Target, and TJ Maxx) cyber liability Insurance is slowly taking center stage.

Identity Theft Resource Center reports that as of 4/1/2018 a total of 273 breaches have been recorded with over 5 million records exposed. All in mere 4 months!

A few examples of recent breaches, across all industries include –

You might be thinking that larger companies are the main target of cyber attacks. They are not! In fact, according to the Verizon Data Breach Investigation Report, 61% of all cyber attacks target specifically small businesses. Often, small business owners are either not fully aware of the risk and/or do not take the necessary security precautions, so they are an easy prey for cybercriminals. Small businesses need cyber insurance

Cyber liability insurance is the answer to this cyber risk. Cyber liability is a new, rapidly expanding insurance product. Over the last decade, it has evolved from an add-on on a liability policy to a stand-alone policy.

Currently, there is no standard form insurance companies underwrite these policies on. Even though this makes it tougher for a consumer to make sense of all the coverages,  it allows your broker an ability to negotiate the terms and the coverages more so than any other policy on the market. It is not possible to include every potential cyber peril, so it is essential to know exactly what coverages you are purchasing, what are the triggers that will impact that coverage and what exclusions you are agreeing to.

In this blog post, we will go over the main coverages, major exclusions to look out for and coverage triggers. Look at it as your road map to a conversation with an experienced broker to discuss what coverages you might need.

The Two Coverages of a Cyber Insurance Policy

There are two distinct cyber insurance coverages – first-party coverage and third-party coverage.  Let’s examine each one.

First-Party Coverage

First party coverage is designed to cover the costs to your business as a result of a cyber attack or a data breach incident.

  • Data Breach Response:  This is included in most of the policies. As the name suggests, this coverage is for costs associated with the actions that need to be undertaken, and their costs, following the data breach incident. The Data Breach Response coverage includes forensic investigation cost, the expense to hire a PR firm, data restoration costs and notification costs to the customers whose information could have been compromised.

    Notification Costs It’s important to keep in mind that the carrier will often limit the # of individuals it will notify and the methods of notification.  With the ever-changing mandatory notification laws, this limitation can lead your company to have to absorb some of the notification costs.

    Currently all states, other than Alabama, have adopted data breach notification laws. The laws specify what type of business must comply with the law; definitions of “personal identifiable information” (PII).; what constitutes a breach; any requirements for notice and any exemptions.

    It’s key to evaluate how many records you are currently storing as well as any growth projections every year to minimize your costs in the event of the security breach.

    BakerHostetler Law has put out a helpful document with all the laws broken down by state.

  • Business InterruptionAs with any Business Interruption (BI) coverages, in other insurance policies, the trigger for this coverage is a direct causal connection between the covered policy event and a loss of income.

    BI coverage is often sub-limited and is subject to a waiting period. It can also be tied to an overall aggregate limit, which is a total amount the policy will pay for all attacks that happen during the policy year.

  • Contingent Business InterruptionEven if you do not store sensitive data yourself, your business is still at risk. Imagine that your data is hosted and stored by a storage provider company and they get hacked. This coverage will cover the business income loss that you suffer as a result of that attack.
  • System Failure Business InterruptionEven if your company is not hacked, the data can be lost due to computer hardware failure. This coverage will cover the income business loss as a result of this loss.

Note: Business interruption coverage typically has a waiting period deductible and can be capped at a certain period of time for the payout.

  • Reputational RiskThis is a business interruption coverage that will pay for the income loss due to the data breach made public and lost customer faith as a result.
  • Ransomware Extortion: This covers the payments to a cyber extortionist that is holding your data hostage or is threatening an attack.  Just like Kidnap & Ransom policies, Cyber liability policy can provide critical assistance with an ability to pay the extortionist on the spot, often in the requested cryptocurrency and professional negotiating with the extortionist.
  • Cyber Crime: This not only to covers the loss of data but rather the loss of money. An example scenario would be a criminal hacking your files, stealing password and account information and transferring the money into their account.
  • Social EngineeringWhile Cyber Crime portion of the policy covers an intentional hack into your system, social engineering tricks you or your employee to voluntarily “give away” the money, for example, phishing scams.

Third-Party Coverage

If you were to purchase a home and the home’s roof caved in as a homeowner, you would get covered for your costs associated with the collapse, i.e., equivalent to the first party coverage as discussed above.

Now imagine you were the contractor who built that roof. You would need a liability policy to cover a loss to someone that was your responsibility.  Third-party coverage of a cyber liability policy provides just that. It covers those responsible for keeping others’ data safe from lawsuits. Cyber liability policy provides coverage for settlements resulting from lawsuits and the costs of defending the insured in such a suit. This coverage is critical for tech and IT companies, as well as IT consultants who will be held responsible in the event of a data breach.

  • Data Security and Privacy: This covers lawsuits that allege that you failed to properly protect sensitive data in your control, i.e., stored on your computer systems. The data could belong to your employees, customers or vendors.
    The carrier could use the wording that coverage triggers due to “any failure to protect” or require an intentional breach. “Any failure” wording is advisable since it is much broader.
  • Regulatory: This covers civil or administrative fines and penalties. Three major regulations to be familiar with – HIPAA, GLBA, and PCI.

    – HIPAA a notification must be issued within 60 days to all the affected and potentially affected individuals. Also, the Department of Health and Human Services must be notified. If over 500 records have been compromised, the media must be notified as well.

    – GLBA – all affected, or potentially affected individuals must be notified, as well as credit reporting agencies and in some cases government notice is required. The exact regulations vary by state.

    – PCI – all affected and potentially affected must be notified immediately. The laws regarding exceptions and who else must be notified vary by state.

  • Cyber Media: This covers lawsuits resulting from the content of media released on your website. This includes libel and slander, commercial appropriation of a person’s name or persona, etc.

Policy Triggers

  • Retroactive Date: Virtually all cyber liability policies are issued on a claims-made basis.  The trigger on these policies is whether the claim is brought in during the policy period.  Retroactive date refers to a date, prior to which no claims will be covered. It is important to maintain continuous coverage of a claims-made policy, or purchase “tail” policy to keep the original retroactive date. The loss of the retroactive date may result in your claim being denied even though it would have been covered otherwise.
  • Territory: Often the policy will specify the coverage to the USA, and it’s territories. Loss or theft of an electronic device can happen anywhere, especially during hectic business trips or even your employee’s family trip to which he decided to bring his work laptop. It is better to negotiate the inclusion of all territories into the policy.

Now you can see the major coverages of a cyber insurance policy.  It’s important to make sure that your policy fits your unique needs. An expert broker can help navigate the pitfalls, the exclusions, and the triggers to negotiate the best policy terms for you.

Let us help! Fill out the short form below to get started.