Most businesses understand that their exposure to cybercriminals is not a question of “if,” but “when.” With leaks and hacks on the rise, companies have started looking to insure against potential losses. Companies may look at two potential coverage sources: existing, traditional commercial policies or the emerging cyberliability market.
Insureds have had limited success in finding coverage under existing CGL policies. Such policies often include broad exclusions against typical losses related to cybercrimes. For example, CGL policies may specify that “electronic data is not tangible property,” thereby excluding damage to electronic data. Policies may also include specific exclusions for losses related to “data breaches.”
Other traditional policies, such as D&O, commercial crime, or property policies, also present coverage issues for insureds. For example, cyber criminals typically target the company as an entity, not individual employees, so D&O policies generally do not provide coverage. These policies may also include broad exclusions similar to those that have become more common in CGL policies.
The insurance industry has not developed a standard cyberliability policy. As a result, the policies come in many different forms and can be very confusing. Here are some common features:
- Policies may include several different grants of coverage, often with separate sublimits. For example, there may be separate sublimits for data losses, privacy notifications, reputational damage, cyber extortion, and so on. Sublimits effectively operate as exclusions from the overall policy limit.
- They are typically “claims-made” policies, and often include retroactive dates.
- They often include vastly different limits for first-party losses (e.g. investigation costs or legal defense costs) versus third-party losses (e.g. credit damage).
- The carrier may propose an “add-on” to an existing policy rather than a separate policy. Add-ons can increase the complexity and potential for confusion.
Cyberliability policies are difficult for insurers to underwrite. Given the newness of the market, this difficulty presents an opportunity for businesses to negotiate favorable policy terms. Generally, the more information a company can provide during the underwriting process, the better. Insurers may want to know what kind of data your company stores and for how long; how your company monitors and responds to risks; and what protection systems are in place.
Because the policies represent a relatively new product, coverage experts have noted that brokers often do not fully understand the coverage. Buyers should be careful to read every line of the proposed policy and should not rely on their broker’s interpretation.