Policyholders and insureds exposed to cyber risks would be well served to analyze carefully their insurance policies to determine exactly which coverages apply to them—and to see if any critical coverages are missing.
Cyber Liability insurance should provide coverage for the vast majority of key cyber risks, and there may also be overlapping coverage under other policies for such exposures.
The first place that a company should look to determine whether it has, or may have, coverage for cyber risks is any specific Cyber Liability policies that the entity holds. A very close look at these policies is warranted, as the coverage under such policies often varies significantly from carrier to carrier—and even within the various forms that one particular insurance company offers.
Note that just because a policy is sold as a cyber-insurance policy, the insurance company will not automatically agree to cover or defend against potential liabilities for all cyber risks. Cyber-insurance policies are relatively new and not as regulated as more traditional insurance policies; the market for cyber coverage is referred to in some circles as the “Wild West” of insurance.
Cyber policies are often sold with various coverage modules, provisions and insuring agreements, allowing for companies to cherry-pick the specific coverages they want to purchase. Because of the variety of options offered in the marketplace and the potential to select specific risk protections, a careful review of the policy form before a claim arises is critical.
When reviewing Cyber Liability policies from the highest level, the buyer should determine whether there is coverage for so-called first-party risks and third-party risks (see above chart).
Entities should consider closely whether their policies provide coverage for privacy breaches even before there has been a claim—to ensure that coverage exists for costs incurred immediately after the discovery of a data breach—including investigation and notification costs. (These costs may be referred to as “voluntary notification” costs among those in the industry, though they may not truly be “voluntary.”)
Certain cyber-insurance policies exclude coverage for costs relating to breaches of contract; so those entities handling data on behalf of contracting partners should consider how such an exclusion would affect the entity’s ability to handle a cyber incident that leads to breach-of-contract damages.
Although many non-cyber policies purport to exclude such damages, data-breach-based class actions often seek such damages. Entities should also consider whether there is coverage for any security audits that may be required by certain third parties, such as business partners.
As to first-party risks, the entity should consider protection for data loss or corruption; the inability to access data; and the inability to conduct business due to the inaccessibility of the various cloud-computing platforms on which the entity relies or provides to clients. The trigger for such coverage should not be limited to a “physical” cause of loss and should be broad enough to include cyber attacks, data breaches, hackings and other crime.