Policyholders and insureds exposed to cyber risks would be wellserved to analyze carefully their insurance policies to determineexactly which coverages apply to them—and to see if any criticalcoverages are missing.

Cyber Liability insurance should provide coverage for the vastmajority of key cyber risks, and there may also be overlappingcoverage under other policies for such exposures.

The first place that a company should look to determine whetherit has, or may have, coverage for cyber risks is any specific CyberLiability policies that the entity holds. A very close look atthese policies is warranted, as the coverage under such policiesoften varies significantly from carrier to carrier—and even withinthe various forms that one particular insurance company offers.

Note that just because a policy is sold as a cyber-insurancepolicy, the insurance company will not automatically agree to coveror defend against potential liabilities for all cyber risks.Cyber-insurance policies are relatively new and not as regulated asmore traditional insurance policies; the market for cyber coverageis referred to in some circles as the “Wild West” of insurance.

Cyber policies are often sold with various coverage modules,provisions and insuring agreements, allowing for companies tocherry-pick the specific coverages they want to purchase. Becauseof the variety of options offered in the marketplace and thepotential to select specific risk protections, a careful review ofthe policy form before a claim arises is critical.

When reviewing Cyber Liability policies from the highest level,the buyer should determine whether there is coverage for so-calledfirst-party risks and third-party risks (see above chart).

PRE-CLAIM APPROACH

Entities should consider closely whether their policies providecoverage for privacy breaches even before there has been a claim—toensure that coverage exists for costs incurred immediately afterthe discovery of a data breach—including investigation andnotification costs. (These costs may be referred to as “voluntarynotification” costs among those in the industry, though they maynot truly be “voluntary.”)

Certain cyber-insurance policies exclude coverage for costsrelating to breaches of contract; so those entities handling dataon behalf of contracting partners should consider how such anexclusion would affect the entity's ability to handle a cyberincident that leads to breach-of-contract damages.

Although many non-cyber policies purport to exclude suchdamages, data-breach-based class actions often seek such damages.Entities should also consider whether there is coverage for anysecurity audits that may be required by certain third parties, suchas business partners.

As to first-party risks, the entity should consider protectionfor data loss or corruption; the inability to access data; and theinability to conduct business due to the inaccessibility of thevarious cloud-computing platforms on which the entity relies orprovides to clients. The trigger for such coverage should not belimited to a “physical” cause of loss and should be broad enough toinclude cyber attacks, data breaches, hackings and othercrime.