Earlier in the year, Alexandra Dattilo warned us that data-breaches may not be covered by the typical commercial general liability (CGL) policy. And, indeed, insurance companies are fighting a two-front war to keep data-breaches out from the coverage provided by CGL policies. In the courts, the insurers are arguing that CGL policies never covered data breaches. And in the market, they are selling policies subject to exclusions aimed at carving out liability for all manner of cyber risks.
But just as CGL policies are phasing out coverage for data-breaches, the risk of a data-breach has never been greater. The news is replete with examples. Anthem,Home Depot, Sony—they, and so many others, have all been the victims of recent data breaches. And according to the Ponemon Institute, which studies information and privacy management practices, even more data breaches could be in store for 2015. (Ponemon Institute, 2014: A Year of Mega Breaches, at pg. 1, available for download here.)
So, with CGL policies shrinking from the growing risk of data-breaches, how does your business protect itself? A cyber-risk policy might be the answer.
Now, the first thing you need to know about a “cyber-risk” policy is that there is not one such thing, but many. A number of insurers offer different products, whose terms and conditions vary from policy to policy. In general, though, policyholders can purchase insurance that protects against the following risks:
- Data Breach
- Regulatory Investigation
- Misappropriation of Intellectual Property
- Transmission of Malicious Code
- Data Recovery
- Business Interruption
But beware: What a cyber-risk policy gives with its right hand, the left hand can just as easily take away. And in fact, many of these policies are subject to exclusions, which may defeat the purpose for obtaining the coverage in the first place.
For example, some policies may over-restrict the coverage territory, such that they apply only to claims made in the United States. The internet is international, so in order to truly protect against all risks, the policyholder needs coverage against claims no matter where they are made.
Also, some policies contain exclusions for “failure of security,” which require the policyholder to maintain certain minimum levels of data security, or else forfeit coverage. Depending on how broadly these provisions are worded, they may make the insurance hardly worth the cost. After all, the main reason to buy cyber insurance is to protect against the risk that the policyholder’s security measures will fail, either through negligence or otherwise.
If your company collects sensitive data, as most companies do, at least with respect to their employees, you may want to purchase one of the various cyber policies. Work with your insurance broker to identify which policy is right for you.