In a previous post, Cybersecurity Insurance Fills Important Gaps in Liability Insurance Coverage, we reviewed insurance coverage that is now available to protect companies against potential third-party claims resulting from their failure to protect the private or confidential data of consumers and other businesses.

An important compliment to “third-party” cybersecurity liability insurance is “first-party” cyber-risk insurance. “First-party” insurance coverage protects the insured against losses or damage that the insured itself sustains. Well-known “first-party” coverage includes health insurance and fire, flood, and other coverages afforded under traditional homeowner insurance policies.

In the cyber-risk field, “first-party” coverage protects companies against losses of their own data, damage to information systems caused by a cyber attack, and income lost while systems are off-line following a breach or other catastrophic failure.

More specifically, “first-party” insurance coverage is available to compensate companies for the following types of losses:

  • Costs resulting from denial of service attacks or inability to access websites
    or systems
  • Costs resulting from the unauthorized access to, use of, or tampering with
    data
  • Costs of forensic investigation to determine the cause and extent of data loss
  • Costs resulting from the loss of company data or digital assets
  • Costs resulting from the introduction of malicious code or viruses into company systems
  • Costs resulting from “cyber-extortion” or terrorism threats
  • Costs of data or system restoration
  • Business interruption expenses

As in the “third-party” field, “first-party” cyber-risk insurance (covering losses that may be excluded or otherwise not covered by traditional policies) is a recent addition to the insurance marketplace. Actuarial data is limited, coverage terms and conditions have not been tested rigorously in the courts, and loss cycles remain in progress. Limited data presents a challenge to any company seeking to purchase cyber risk insurance for damages and losses incurred from data breach incidents.

However, the uncertainty inherent in the sale of a new product presents an opportunity to companies seeking to negotiate favorable terms and conditions, to tailor coverage that relates to their specific business circumstances, and to negotiate reduced premiums as competition in the business continues to expand. Experienced counsel can assist companies not only in understanding the business and legal risks they face from cyber breaches, but also in assessing the utility of coverage terms, conditions, limitations, and exclusions proposed by potential insurers.