Earlier this week, HBO announced that it had suffered a “cyber-incident” involving the compromise of “proprietary information” that reportedly includes forthcoming episodes and scripts from popular HBO shows such as Game of Thrones. The HBO breach is the most recent in a growing list of cybersecurity issues faced by Hollywood studios this year. In an e-mail to HBO employees, CEO Richard Plepler called the cyber attack “disruptive, unsettling and disturbing.”
We have previously outlined the importance of robust coverage for cyber incidents on this Blog. Given that the HBO data breach was just disclosed, it is unclear what, if any, third-party claims may arise out of the alleged theft of programming data. But HBO’s data breach raises questions about the scope of potential coverage for numerous first-party losses, such as lost revenue and intrinsic value of stolen IP.
Generally speaking, cyber policies focus primarily on investigation and response to breaches resulting in the disclosure of personally identifiable, non-public information. Many standalone cyber policies provide coverage for losses frequently encountered in these situations, such as privacy notification costs, extortion or ransom costs, and other “crisis management” expenses (e.g., forensic investigators and public relations consultants). Thus, policyholders facing cyber theft of proprietary information like the data at issue in the HBO breach may be covered under cyber policies for significant costs incurred in investigating and responding to the breach.
But most cyber policies do not provide coverage for indirect or “soft” costs arising from a data breach, including loss of future business, customer goodwill, or devalued IP—all of which could be implicated in HBO’s programming theft depending on the nature and scope of the stolen data. The inability to insure reputational harms and other property losses under cyber policies following a data breach presents the potential for significant coverage gaps.
Many of these losses, however, may be covered under traditional commercial crime or even commercial property coverage. Accordingly, as highlighted in prior posts (here and here), comprehensive “cyber” programs must include both adequate cyber security protections and appropriate first-party and third-party crime and property coverages. Although insurers have begun to offer new products providing clearer and broader coverage for cyber harms, the HBO breach underscores the importance of maintaining a robust cyber insurance program that includes both cyber and “legacy” coverages.
We may not have seen the last of the HBO breach, as the hacker claiming to have obtained the data vowed that more would be “coming soon.” Despite the rise of highly-publicized data breaches, policyholders should not focus solely on “cyber” coverage under the false assumption that it encompasses all possible loss arising from a data breach. Rather, cyber coverage should be evaluated as just one part of a company’s overall risk program, which should include other types of coverages that may fill potential gaps in cyber policies. In a recent interview, the head of our insurance litigation and recovery practice, Walter Andrews, discusses several ways businesses can maximize their recovery following a cyber attack. Consulting with experienced coverage counsel to perform a cyber policy review can help identify and mitigate cyber risks.