The following is a Middle Market* insight authored by Jonathan Reich, a Womble Carlyle attorney in the firm’s Winston-Salem office.
Why is cyber insurance important?
Almost every week another business is in the headlines for the latest data breach or cyber security attack. The Washington Post reported that more than 3,000 American businesses have been hacked, many of them small and midsized firms. At the other extreme of the scale, Fortune 50 retailer Home Depot recently announced that it has incurred $33 million of pretax expenses related to its 2014 data breach, which includes liabilities to the payment card network for credit card fraud and the cost of reissuing cards, government investigation costs, and current and predicted future litigation costs.
The breadth, scope, and frequency of these attacks on American businesses have become so great that President Obama recently convened the first White House Summit on Cybersecurity and Consumer Protection and signed an executive order which encourages private businesses and insurance companies to share cyber security threat information with the federal government in an effort to increase national data security.
Business leaders and corporate boards can no longer ignore the very real possibility of unauthorized access and dissemination of confidential customer information. This could be financial data, it could be sensitive health information, or it could be confidential trade or industry secrets. Through no fault of a company, it can become a victim of malicious software or a coordinated attack by international hackers who seek to sell the information gained or hold the information for ransom.
Cyber insurance programs are necessary for small, mid-size, and large businesses to help them manage the risks from data breaches. Simply put, cyber insurance can provide a business with protection in the event of a cyber attack. Cyber is also the most rapidly growing area of insurance in America: Betterly Risk Consultants reported that in 2010, American cyber premiums totaled only $600,000, but were expected to be $2 billion for 2014. Currently, there are at least four dozen insurance companies offering cyber insurance on the commercial market. Cyber insurance is available as both first party and third party insurance, and can be written on a primary or excess basis. Lloyd’s of London, with its ability to form syndicates, has emerged as a leading provider of cyber insurance. Cyber coverage can also be provided or supplemented by a company’s own captive insurance company.
What coverage is available?
One of the first things a company should know is that a standard Commercial General Liability policy typically does not cover cyber losses, especially the more recent CGL policies which expressly exclude such losses. Thus, cyber coverage has to be procured separately.
Cyber coverage can be written as first party coverage, third party coverage, or both. You can think about first party cyber coverage as being akin to property insurance. First party coverage protects a business’s own data, or provides reimbursement to the business for harm to itself. Third party coverage, on the other hand, is a liability insurance policy which protects the business from liability from another source (typically, a lawsuit brought by clients, business partners, or regulatory bodies).
First party coverage can typically include coverage for restoring lost data; reimbursement for the destruction, theft or fraud of a policyholder’s data; reimbursement of legal or consultant fees for a forensic investigation of how the cyber attack occurred; and extortion coverage which (similar to a kidnapping policy) can pay a “ransom” to a hacker in return for the non-disclosure of confidential information.
Third party coverage includes defending and indemnifying the business against civil lawsuits, settlements, or regulatory penalties resulting from a data breach. Third party coverage can also include public relations expense; the cost of notifying business counterparts, employees, and customers; and the cost of ongoing credit monitoring for customers.
What issues should be considered?
Although there are many insurance companies in the market providing cyber insurance, and there are many coverages available, not every cyber policy provides all these types of coverages. Policies range from narrow privacy and network security policies, to incredibly broad policies. Buyers of cyber insurance need to know (1) what their risks and vulnerabilities are and (2) what policies are offered that will actually insure those risks.
For example, a retailer or restaurant which handles large amounts of credit, debit, and pre-paid card transactions must comply with the data security standards of the payment card industry (“PCI”) or risk fines for non-compliance. However, most cyber liability policies exclude fines unless the fines are government-imposed regulatory fines and penalties. Because the credit card industry holds merchants responsible for data breaches as a matter of contract law – and not as a matter of government regulation – a PCI endorsement or a rider should be purchased separately or added to the package of policies which the retailer or restaurant has.
Another example of the evolving market is that, for many years, there were no commercially available cyber policies which covered a physical loss as a result of a data breach. In the event that a company’s industrial controls are infiltrated – as happened at a German steel mill which could not shut down its blast furnace before “massive” damage occurred - large physical losses can occur. The damage to industrial controls and machine tools, if it is the result of a traditional cause of loss, would usually be covered under a traditional first-party property insurance policy. However, the property insurance policy that a business already has may not cover physical loss from the infiltration of the company’s automated machine tools.
As cyber risk broadens beyond just the theft of data, and moves towards the commandeering of industrial systems, the importance of cyber coverage for physical loss will only grow. To confront these issues, insurer AIG began offering a cyber policy which provided coverage for physical loss in 2014. It is marketed as CyberEdge. Other insurers are now offering cyber insurance which provides coverage for a physical loss as well.
Just as there is no standard form for cyber insurance, there is also little standardization in the market regarding premium ranges. Because of the nature of cyber attacks – the low frequency and high severity of risks – the insurance industry is still attempting to better understand and quantify the risks it is accepting. Reported premiums vary widely between insurance companies and industries: from as low as $2,000 to as high as $50,000 for $1 million in coverage. In other words, it pays to shop around for cyber insurance policies, and to be informed as to what exactly is covered and excluded. Companies that have purchased cyber insurance are purchasing as little as $500,000 in coverage or building towers of insurance of $250 million or more. Home Depot has confirmed that it has least $105 million in total cyber insurance available.
How we can help.
Businesses (and boards of directors) who have already purchased cyber insurance should continually seek information from outside insurance counsel and specialist insurance brokers regarding cyber coverage and trends in the market. Insurance counsel can review existing policies to determine what coverage has already been obtained, or where gaps in coverage may exist. Counsel can also assist the board of directors in understanding the potential cyber liabilities, and whether there are insurance solutions available.