Increasingly, companies are looking to insurance to help manage their cybersecurity risks and defray losses sustained from data breaches. Losses can range from reputational damage, business interruption, and professional fees for computer forensic services and attorneys to handle regulatory inquiries or lawsuits. In the event of a data breach or other cyber incident, recent rulings suggest that traditional insurance policies, like a company’s Commercial General Liability Policy (CGL), may provide coverage, or, at the very least, a defense to lawsuits spawned by cyber events.
How do you know if you are covered under traditional policies? First, carefully review the language of traditional insurance policies, such as CGL policies, to see if a data breach or the release of personally identifiable information (PII) fits within the policy’s definition of a covered event. Even if it looks like the language is broad enough to include data breaches or other errors that result in the release of PII, it still may not be enough. Some courts have delved into the parties’ intent and declined to find coverage where the parties did not clearly intend to cover cyber incidents. Other courts have strictly interpreted the language in the policy, finding coverage regardless of whether the parties anticipated cyber events at the time the policy was issued.
Coverage cases are highly fact specific. Coverage may not only depend on the language in a policy, but it may also turn on the overall attitude of the courts toward the intended scope of coverage for cyber events. This uncertainty suggests that a company should reconsider cyber insurance, if it has not already purchased such a policy. While cyber insurance policies are still non-standard, with coverage varying from company to company, it is far more likely that a court will find coverage under a cyber insurance policy specifically intended to deal with cyber events than general language in a traditional CGL policy.
Rather than roll the dice on coverage under traditional lines of insurance, it may be time to focus on specific cyber insurance coverage as a part of your company’s comprehensive cyber risk management strategy. Be proactive. Consult with experts on your existing coverage and understand what policies are available in the market. Don’t wait until an incident to learn the scope of your coverage because it may not be as broad as you originally thought.