Massive cyberattacks and data breaches have become routine. The window of opportunity for obtaining insurance coverage for the resulting costs under “traditional” first-party or general liability policies is rapidly closing. Courts have ruled inconsistently, and the insurance industry has responded to the exponential increase in exposure by endorsing policies to exclude such losses. Brokers and bloggers everywhere are urging the purchase of specialized “cyber” insurance to cover the resulting costs. A relative novelty only a few years ago, cybercoverage is now a must-have for many businesses.
That said, many businesses are being sold costly policies that include coverage they don’t need or that fail to address key areas of risk. Here are five tips to help you find the form that fits.
1. What Coverage Do I Need?
Deciding whether to buy specialized cybercoverage is the comparatively easy part. The real challenge is figuring out exactly what to buy and from whom. There currently is no industry standard for cyberpolicy forms ‘ insurers have developed their own idiosyncratic products. The coverage is referred to by a variety of names, and the policies vary widely in terms of the coverage provided. Even those that appear to offer the same menu of coverages may differ significantly when you get down to the fine print. Unlike “traditional” policies, most combine both third-party liability and first-party insurance in a single form. To complicate matters further, the coverage often overlaps with other professional, media and technology errors and omissions policies, general liability policies and first-party property policies. And because these products are of relatively recent vintage, courts have had little or no opportunity to issue authoritative interpretations of their provisions, adding to uncertainties regarding the scope of coverage.
To select wisely among the dizzying array of policy terms, the buyer needs to gain an in-depth understanding of two basic factors: 1) its own, unique risk profile; and 2) the variations in the products on the marketplace. The broker should be the buyer’s partner in this endeavor, and should be the principal source of intelligence on the products available. Legal counsel can also help to identify gaps in the coverage forms and customize policy wording to address the buyer’s specific requirements. But there is no substitute for the buyer knowing precisely what coverage is needed to address the risks inherent to its own particular business.
2. What Are My Risks?
To appreciate the unique nature of each company’s risk, one need only look at the range of recent cyberincidents. While generically dubbed “cyberattacks” or “data breaches” by the media, the events themselves differ in many respects, including the attack vectors, the data targeted, the motivations of the hackers and the nature of the fallout. Some involve phishing scams, as in the case of JPMorgan Chase and Anthem. Some involve distributed denial of service attacks that overwhelm and shut down a network, like the one that took down the BBC’s global website in January. Some involve installing malware on point-of-sale systems, as was true with Target and Home Depot. Many involve the theft of personal information, including credit card and bank account data, for criminal purposes. Some attacks involve no exfiltration of data, but instead are politically motivated or designed to “make a point.” Others even aim to cause significant physical damage, like the attack on the ThyssenKrupp steel mill in Germany last year.
To assess its own risk, the prospective purchaser of cyberinsurance should be asking: What are the key vulnerabilities of my business? Do we process millions of customer credit card transactions and retain such data on our systems? Do we depend on the internet and/or online sales, so that a network shutdown for any length of time would mean lost income? Do we perform technology services for others, such as systems analysis, data processing and web hosting? Do we provide critical services to the public? Do we depend on automated systems that are controlled by a network or through the Internet? The answers to these questions will inform the choice among various types of cybercoverage.
3. What Losses and Costs Would I Face?
It is also important to assess the likely big-ticket losses and costs that could be suffered in the event of a breach. Most companies will incur significant costs for forensic analysis of the causes of the breach and vulnerabilities in its systems. Those that handle personal and credit card information can anticipate substantial costs to notify record holders, provide credit monitoring and identity theft protection services, respond to regulatory inquiries and to card-brand investigations and penalties, and to defend against class action lawsuits. The potential for third-party litigation is a key variable, since the legal fees in particular are likely to be a significant cost component. Those whose businesses are vulnerable to lengthy interruption due to an attack must consider the potential impact of lost income and the kinds of extraordinary expenses they would have to incur to continue operations. Because the coverages available under cyberpolicies vary materially, it is vital for the buyer to know what protection is essential for its survival in the event of a breach.
4. What Coverage Is Available?
Cyberpolicies available in the marketplace typically offer a broad range of coverages. In some policies, coverage for third-party liability and first-party loss are kept strictly separate, while in others the coverages may be combined with respect to damages and losses arising out of similar events. For typical coverages offered, see the first table below.
5. What Coverage Best Matches My Risk Profile?
Identifying the best match between cybercoverage available in the marketplace and the policyholder’s realistic risk is an exercise that deserves more time and attention than a cursory review just before policy renewal time. The process should involve key constituents in risk management, information security, legal and the C-suite ‘ as well as, ultimately, the broker. Corporate data is important ‘ e.g. , what is the size of our business, how many customers do we have, how many records do we maintain and of what type? But so are attack scenarios and stress tests. There is no substitute for understanding how your business in particular is vulnerable to a breach and what the cost implications might be.
The’second table’below illustrates how the need for specific cybercoverages may vary by business type.
Insist on the Right Product for Your Business
Understanding the intersection between likely risk scenarios and the available types of coverages puts your business in the best position to secure coverage closely tailored to its needs. No business should be buying insurance with a “cyber” label that provides either inadequate or wholly irrelevant protection. There are enough players in the marketplace, enough variations on the coverage forms and enough flexibility to adapt to special circumstances that the buyer should not settle for anything “off the shelf.” With proper forethought, with robust assistance from your broker and with careful review of the forms by your legal counsel, you can secure cybercoverage that is the right fit for your business.
The views expressed in the article are those of the authors and not necessarily the views of their clients or other attorneys in their firm.