Every single industry or business in this day and age has either been the victim of a cyber attack or is concerned they will be next. A few examples from the last couple of months show how widespread the problem is. In June, a global ransomeware attack quickly spread across 64 countries, impacting organizations from law firms, banks and governments to food producers and hospitals. The attackers demanded $300 in Bitcoin—approximately $977,000 U.S. dollars in total—from each victim to unlock their data. At the annual DefCon computer security conference in late July, hackers took less than 90 minutes to hack voter-ballot machines and at least one hacker even broke into the system wirelessly, suggesting that U.S. computer-ballot boxes may be susceptible to attack.
The costs and penalties associated with a cyber attack or data breach should not be underestimated. For example, NPR recently calculated the average cost of a health care breach at more than $2.2 million, “not to mention the reputation damage.” And the FCC recently ordered AT&T to pay $25 million in connection with the exposure of more than 250,000 U.S. customers’ information.
Even with increasing evidence that a cyber attack likely cannot be wholly prevented, much of the current analysis and conversation surrounding cyber attack defense is focused on updating hardware and software systems. However, a strong defense strategy against cyber attacks must also address potential liability, including through cyber-related liability insurance. Most companies and industries remain underinsured and exposed to substantial cyber attack liability. Small businesses have been particularly slow to obtain specialized cyber insurance, despite the fact that they are increasingly being targeted by hackers and may not be as well-positioned to absorb the costs of a cyber attack.
As your company designs its cyber attack or data breach defense strategy, you should also consider the ways in which insurance can cover some of those costs and play a role in protecting your business in the future. There is no “one-size-fits-all” cyber insurance product, but it is possible to obtain coverage for, among other things: regulatory fines; civil lawsuits; acts and omissions of third parties; remediation/crisis management; costs to restore data, hardware, or software; and non-digital data, such as paper records.
There are many issues to consider when evaluating cyber liability insurance. One important one is whether to get coverage for claims made against the company or the company’s acts. A representative policy covering claims may state:
This policy is a third-party liability coverage section and applies only to those claims that are first made against the insured and reported in accordance with the policy.
Other cyber-insurance policies may provide coverage for acts of the business, and not just those claims or suits made against the business. A policy like this may state:
In consideration of the payment of the annual premium and subject to all of the provisions of this policy the Insurer and the Policyholder agree as follows:
Cover under this policy is written specifically on a primary basis and applies only to acts, errors or omissions of an Insured committed after the Retroactive Date.
The type of business you’re in will largely drive which of these coverages will likely work best for you. For example, if your business is a technology company that designs software for point-of-sale transactions, your software will engage with and store all sorts of personal identifiable information (PII). If that software is subject to a cyber attack and the PII is stolen or disclosed, a first-party cyber-liability policy would likely not provide the best coverage, given that a technology company is not the owner of the PII. Conversely, a third-party cyber-liability policy would likely provide protection for liability associated with the disclosure of the PII, which could include the costs to notify customers and even the costs resulting from a governmental inquiry. So while there is no one “right” coverage, having the incorrect policy for your business’ needs could leave you open to significant liability.
A first step for a business contemplating coverage for cyber-related liabilities is to get a firm grasp on the business’ needs. The next step is to thoroughly examine existing policies to determine what cyber risks may already be covered. This analysis should include a review of all policies, from commercial liability to errors & omissions, and consideration should be given to all exclusions and limits of liability. Finding the right cyber liability policy to meet a business’ needs requires a comprehensive, team approach, including experienced insurance coverage counsel to help at every step of the way. Even more importantly, do not wait until your business is a victim of a cyber attack to take action regarding insurance coverage for cyber-related liabilities. Remember, a best defense is a good offense.