It seems every day the news includes stories about one form of cyber-intrusion or another: email servers hacked, financial records hijacked by malware, personal privacy compromised or "ransomed," business or personal funds "phished" away. Experts say the question is not whether your business will be hacked, it's when. Like most business risks, one means of protecting against losses caused by cyber attacks or accidents is insurance. Have you reviewed your policies lately? Are you covered for the risks you are most likely to face? Many companies who thought they were covered have received unpleasant surprises when disaster struck.
For example, a grocery store chain in Alabama was sued by credit unions when the grocer's computer network was hacked, compromising confidential data, including customer credit and debit card information. The credit unions asserted the grocer was liable for the resulting losses and expenses because the data breach was caused by the failure to maintain adequate computer security, employee training, and other protections. The grocer sought a defense and indemnification from its insurer, which denied the claim. In the ensuing coverage lawsuit, the court agreed with the insurer that the losses alleged by the credit unions were not covered under either the first-party property or third-party liability provisions of the grocer's business insurance. Camp's Grocery v. State Farm (N.D. Ala. 2016). Although that case was decided under Alabama law, it is consistent with decisions across the country.
Some cyber risks may be covered under a business owner's package or other commercial liability or property policies. When the computer systems of Lambrecht & Associates, an employment agency, were shut down by a virus, its business insurer denied coverage, insisting the damage caused by the virus was not an "accidental direct physical loss to business personal property." Rather, the insurer said, it was the result of a hacker's intentional act and the data did not exist in physical or tangible form. The trial court ruled for the insurer, but the Tyler Court of Appeals reversed. Lambrecht & Assoc. v. State Farm Lloyds (2003). The appeals court held the intentional-act exclusion must be viewed from the standpoint of the insured, and there was no evidence Lambrecht intentionally introduced the virus to the system. As for physical loss to property, the court held the relevant property was not the data, but the computer server and storage media, which were rendered unusable by the virus. The policy expressly covered the cost of replacing records stored in electronic media, as well as business income lost during the recovery period.
Standard business policies, however, are increasingly less likely to provide sufficient protection for cyber losses. Indeed, the most common risks are expressly excluded by many current policies, as insurers encourage policyholders to purchase specific cyber endorsements or separate cyber policies. A host of add-on or standalone cyber policies are now available, covering a wide array of potential losses.
"I'm covered--I have cyber insurance." Famous last words before a disaster. Consider, for example, Apache Corporation, which purchased a crime policy with a "computer fraud" provision, but discovered too late it did not cover losses from a "phishing" scheme that began with a bogus phone call to an employee, was furthered by a deceptive email with an attached forged letter, and ultimately completed by an unauthorized transfer of funds to a foreign account. The Fifth Circuit, applying Texas law, held the computer fraud coverage was not triggered because the fraudulent transfer was not "directly" caused by the deceptive email but required other actions to succeed. Apache Corp. v. Great American Insurance (2016).
Similarly, P.F. Chang's learned too late that its comprehensive cyber security policy from a major carrier did not cover payments to reimburse a third-party credit-card processor for assessments charged by Master Card following a data breach involving 60,000 account holders. Although many of the company's losses were covered by the policy, a federal district court in Arizona held the Master Card assessments were excluded because P.F. Chang's liability arose from its contract with the credit-card processor. P.F. Chang's China Bistro v. Federal Insurance (2016). In another case involving theft of credit card and checking account information, DSW Shoes overcame its insurer's objections to recover its losses under a "Computer & Funds Transfer Coverage" endorsement. Retail Ventures v. Nat'l Union Fire Ins. (6th Cir. 2012).
So, it is not enough to have cyber insurance; you need coverage to fit your risks. The critical first step is realistically appraising the risks posed by your operations. Those risks vary, depending on several factors, including the size and visibility of the business, the number of employees and customers, and the type of information maintained. Do you keep employee or customer records containing identifying information such as social security numbers, birth dates, addresses, etc.? Is any of the information covered by HIPAA or other privacy laws? Does the data encompass individuals who reside in other states? What would it cost to send notices complying with the notification laws of multiple jurisdictions to all your customers if their information were compromised? What other costs would you incur in the event of a data breach or other cyber event? If your data is processed by a third-party vendor, what do you know about its cyber security or insurance coverage? If your business has shareholders or other investors, are the officers and directors at risk in the event of a cyber disaster? If you have not conducted a thorough analysis of these and other risks, you can be pretty sure your insurance program has gaps that will be painful to discover after the fact.
The market for cyber coverage is developing rapidly; the forms are not standardized and respond to many types of loss. One policy, for example, may provide excellent coverage for "first-party" business losses triggered by lost data but not respond to liability claims asserted by third parties. Another policy may exclude coverage for losses caused by employee negligence or wrongful acts, which are common causes of security breaches. Additionally, some insurers and brokers offer comprehensive risk management, mitigation, and event-response services, while others provide more bare-bones coverage and services. The more comprehensive packages encompass a wide scope of both firstparty and liability coverages, subject to varying policy limits and deductibles. These may include (under a variety of names):
- Security and Privacy Liability
- Network Interruption
- Event Management
- Cyber Extortion
- Injury to Reputation
As with other business risks like fire or theft, cyber insurance is not a substitute for solid risk mitigation practices appropriate to your business. In fact, the strength of your cyber security measures and incident response plan play an important role in the underwriter's decisions about the coverages offered and the premiums required. And because of rapid market changes and variable policy terms, it is wise before buying cyber coverage to request a copy of the policy itself--not just a brochure or summary--and have it reviewed by an experienced attorney or other professional who is familiar with the coverage issues businesses like yours have confronted.