Policyholders and insureds exposed to cyber risks would be wellserved to analyze carefully their insurance policies to determineexactly which coverages apply to them—and to see if any criticalcoverages are missing.
|Cyber Liability insurance should provide coverage for the vastmajority of key cyber risks, and there may also be overlappingcoverage under other policies for such exposures.
|The first place that a company should look to determine whetherit has, or may have, coverage for cyber risks is any specific CyberLiability policies that the entity holds. A very close look atthese policies is warranted, as the coverage under such policiesoften varies significantly from carrier to carrier—and even withinthe various forms that one particular insurance company offers.
|Note that just because a policy is sold as a cyber-insurancepolicy, the insurance company will not automatically agree to coveror defend against potential liabilities for all cyber risks.Cyber-insurance policies are relatively new and not as regulated asmore traditional insurance policies; the market for cyber coverageis referred to in some circles as the “Wild West” of insurance.
|Cyber policies are often sold with various coverage modules,provisions and insuring agreements, allowing for companies tocherry-pick the specific coverages they want to purchase. Becauseof the variety of options offered in the marketplace and thepotential to select specific risk protections, a careful review ofthe policy form before a claim arises is critical.
|When reviewing Cyber Liability policies from the highest level,the buyer should determine whether there is coverage for so-calledfirst-party risks and third-party risks (see above chart).
|PRE-CLAIM APPROACH
|Entities should consider closely whether their policies providecoverage for privacy breaches even before there has been a claim—toensure that coverage exists for costs incurred immediately afterthe discovery of a data breach—including investigation andnotification costs. (These costs may be referred to as “voluntarynotification” costs among those in the industry, though they maynot truly be “voluntary.”)
|Certain cyber-insurance policies exclude coverage for costsrelating to breaches of contract; so those entities handling dataon behalf of contracting partners should consider how such anexclusion would affect the entity's ability to handle a cyberincident that leads to breach-of-contract damages.
|Although many non-cyber policies purport to exclude suchdamages, data-breach-based class actions often seek such damages.Entities should also consider whether there is coverage for anysecurity audits that may be required by certain third parties, suchas business partners.
|As to first-party risks, the entity should consider protectionfor data loss or corruption; the inability to access data; and theinability to conduct business due to the inaccessibility of thevarious cloud-computing platforms on which the entity relies orprovides to clients. The trigger for such coverage should not belimited to a “physical” cause of loss and should be broad enough toinclude cyber attacks, data breaches, hackings and othercrime.
|
Want to continue reading?
Become a Free PropertyCasualty360 Digital Reader
Your access to unlimited PropertyCasualty360 content isn’t changing.
Once you are an ALM digital member, you’ll receive:
- All PropertyCasualty360.com news coverage, best practices, and in-depth analysis.
- Educational webcasts, resources from industry leaders, and informative newsletters.
- Other award-winning websites including BenefitsPRO.com and ThinkAdvisor.com.
Already have an account? Sign In
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.