*This is the third post in a five-part series on cyber insurance, culminating in a webinar entitled “Insurance Coverage for Privacy and Data Breaches, Hot Topics and Critical Issues” on Wednesday, April 22, 2015, at 12:00-1:00 p.m. Eastern.
Common questions we often hear from CEOs and CFOs are “what do cyber insurance policies cover and how much do they cost?”
Cyber risk insurance policies typically offer both first-party coverage (covering the policyholder’s losses) and third-party coverage (covering defense costs and damages and liabilities to third-parties, e.g., customers, business partners, and regulatory agencies, resulting from the policyholder’s actions or omissions).
First-party coverage typically covers the following:
- Forensic investigation – The first steps following the suspicion of a data breach are to determine if a breach occurred, contain the damage if a breach occurred, and then investigate the cause and scope of the breach. This coverage covers cost to hire computer forensics consultants working under the direction of your attorneys to determine whether a data breach occurred, to contain and prevent further damage, and to investigating the cause and scope of the breach.
- Computer and data loss replacement or restoration costs – Desk and laptop computers, servers, and data can be damaged as a result of a hacker’s activities. This coverage covers the cost to replace or restore lost or damaged computers and servers, and the cost to restore or recreate data.
- Business interruption and extra expense – For many businesses, if your network is down, you are losing money. This coverage covers lost profits and extra expenses following a data breach. This may include having to pay for alternative network services and the extra expense from the having your employees work overtime to respond to the breach.
- Public relations expense – The Ponemon Institute reported abnormal churn rates (or lost business) by industry following news of a data breach in its 2014 Cost of Data Breach Study: United States. The highest losses were to financial, technology, transportation, and healthcare industries, ranging from 7.1% to 5.3%, respectively. Public relations consultants can help your business communicate appropriately to customers, business partners, and the public in response to news of a data breach to try to prevent and limit lost business.
- Notification costs, call center, and credit monitoring for victims of the breach – As of this post, 47 States, the District of Columbia, Guam, Puerto Rico, and the Virgin Islands have data breach notification laws that require notifying your customers in the event of a data breach. Some of these state laws also require notification of state Attorneys General, regulatory agencies, and credit reporting agencies following a data breach. This coverage covers the cost of a consultant working with your attorneys to prepare and provide the notifications.
- Electronic theft and fraud protection – Criminals often hack into accounts to steal money, as opposed to simply wreak havoc or collect data. This coverage covers your financial losses resulting from these events.
- Cyber extortion – Criminals have continued to send what appear to be legitimate emails with hyperlinks to ransomware programs that encrypt the data in a user’s computer. The Tewksbury, Massachusetts and Midlothian, Illinois police departments recently reported that they paid demands from cyber criminals of $500 each to decrypt their computers. This coverage covers the cost for such extortion amounts.
Third-party coverage covers the cost to hire attorneys, consultants, and expert witnesses to defend your company from civil lawsuits by customers, business partners (such as vendors harmed as a result of malware delivered by your network), and shareholders (who claim the value of their investment has been damaged because of management’s failure to employ reasonable privacy and security practices), and the resulting settlements or judgments entered against you. Many companies additionally seek third-party coverage to provide a defense to regulatory or administrative agency investigations and prosecutions, e.g., by the Federal Trade Commission, Federal Communications Commission, or State Attorneys General. This coverage often covers fines and penalties, and possibly punitive damages under certain circumstances where the payment of punitive damages is not prohibited by state law.
Like all things, the cost for cyber insurance can vary. However, the average cost for $1 million of coverage is between $12,500 and $15,000 across various industry sectors including healthcare; transportation; retail/wholesale; financial institutions; communications, media and technology; education; and power and utilities. (See Testimony-Beshar-2015-01-28 of Peter J. Beshar, Executive Vice President and General Counsel, Marsh & McLennan Companies, before the United States Senate Committee on Homeland Security & Governmental Affairs, Jan. 28, 2015.) The renewal rates for cyber insurance policies for 2015 have risen from 2014 rates by 5% on average, with the highest jump of 10% for retailers because of increased loss activity in 2014. Some companies purchase towers of insurance coverage in the tens of millions of dollars, such as Target, who reported $90 million of coverage, and Home Depot, who reported $105 million of insurance coverage, in response to recent filings related to their data breaches.
Again, this only scratches the surface as coverages can vary widely under insurance policies, including the scope of coverage, aggregate policy limits and sub-limits, self-insured retentions (or deductibles), and coverage periods.