Cyber insurance has reached a tipping point. The rising costs faced by data breach victims, which can exceed $100 million for the largest breaches, have spurred an increasing number of companies across industries to turn to cyber insurance in an effort to transfer at least some of those costs to an insurer. But cyber insurance is still relatively new, at least as a mass-market insurance product, and it is evolving quickly, although not as quickly as the threat itself. The policies are complex and not standardized, and courts have yet to provide any guidance about what will be covered and what will not. This state of affairs leaves many companies that have or are considering buying cyber insurance uncertain—not only whether they will be a victim of a data breach but also whether insurance will provide them with the coverage they need if they do become a victim.
Data breaches and cyberattacks occur across all sectors. In the past year there have been highly publicized mega-breaches of technology companies, entertainment companies, retailers, financial services companies, health insurers, manufacturers, and the federal government’s Office of Personnel Management. Even the most sophisticated systems are vulnerable to a data breach. And companies with any potential exposure—which includes any company that maintains employee information—are increasingly looking to cyber insurance as one way to manage the cost of a data breach.
Our article “Cyber Insurance: An Overview of an Evolving Coverage” provides an overview of cyber insurance. The first section (What Is Cyber Insurance?) describes the risks faced by companies and the coverage offered by cyber insurance. The second section (The Development of Cyber Insurance) describes the development of cyber insurance as a specialized coverage, the impact on cyber insurance development of breach notification laws, and the limits of coverage of existing insurance. The third section (Where Is Cyber Insurance Heading?) discusses the key coverage and exclusion battlegrounds in these policies, the emergence of cyber insurance litigation, and the challenges presented by the Internet of Things. We hope that companies will benefit from a better understanding of the scope and value of cyber insurance in making decisions about its value as one among different means of proactively enhancing their IT Security posture.