According to the World Economic Forum, cyber-attacks are cited as No. 2 in the top 10 global business risks. The following are some basics of cyber liability insurance.
This trend will continue through 2021 and is exacerbated by cybercriminals taking advantage of the pandemic.
In its early days, cyber insurance coverage was offered through either expensive, highly manuscript policy forms or cheap, sublimited endorsements to other policies. Today the cyber insurance market has advanced from a very niche risk transfer tool to a critical requirement for enterprise risk management.
Many clients still ask us some version of the question: What exactly is covered in a cyber insurance policy? Some companies even wonder if the cyber risk is insurable.
The good news is that yes, cyber risk is insurable, and here is how cyber insurance works.
What’s New in 2021
Even before the pandemic, cyber insurers were tightening their underwriting guidelines and asking for more details to better understand the risk they were insuring. Whether it is detailed on backup procedures or questions on specific security controls in place, companies looking for cyber insurance in 2021 can expect a more rigorous underwriting process.
After the pandemic hit, entire workforces migrated from working in an office, where cybersecurity was more controlled, to working from home. This presented immediate challenges, as cybercriminals took advantage of new security and human vulnerabilities. Major challenges included bandwidth and unsecure connectivity, employee access issues and phishing, social engineering, and other “human” cyber risks.
Fortunately, cyber insurance was there each step of the way. Policies have responded due to broad coverage language for incidents both big and small—whether it involved network outages, data breaches, financial fraud, or ransomware.
But not all cyber insurance policies are not equal, and the pandemic has highlighted a few areas of concern. Insureds were advised to look at key definitions within their cyber policies, like “computer system” to ensure that employees working from home on a personal computer were covered.
Potential exclusions included voluntary shutdowns and personal network outages, such as when an employee lost internet access at their home or had a slower connection than what was available at the company office.
What Cyber Insurance Covers
Every company faces cyber risk, no matter their size however the bigger you are, the more areas of vulnerability you have.
The most prominent cyber risks are privacy risk, security risk, and operational risk.
Generally, cyber insurance is designed to protect from these primary risks through five distinct insuring agreements:
- Network security, privacy
- Network Business Interruption
- Media liability
- Errors and omissions
- In particular, network security and privacy liability can include both first-party and third-party costs. Let’s go into each element and what specific cyber risk it covers.
A network security coverage grant is important for most companies, including those subject to information risk and privacy risk. This aspect of cyber insurance covers your business in the event of network security failure; which can include a data breach, malware infection, cyber extortion demand, ransomware, or business email compromise.
Network security coverage includes first-party costs––expenses that you incur directly as a result of the cyber incident, including:
- Legal expenses
- IT forensics
- Negotiation and payment of a ransomware demand
- Data restoration
- Breach notification to consumers
- Setting up a call center
- Public relations expertise
- Credit Monitoring and Identity Restoration
Privacy liability coverage is also important for most companies, particularly those with information risk or privacy risk.
Customer and employee information can be sensitive and breaches or violations that expose such data not only threaten the security of those compromised but expose your business to liability.
Privacy liability coverage protects your company from those liabilities arising out of a cyber incident or privacy law violation. These third-party costs can arise, for example, from liabilities required in a contractual obligation, all the way to regulatory investigations by governments and law enforcement.
Here are two examples:
- Defending your organization from consumer class action litigation and funding a potential settlement in the event of a cyber incident or data breach.
- Legal expenses, fines, and/or penalties incurred due to a regulatory investigation by government or law enforcement; both federal and foreign. Imagine what would happen to your company if a foreign governmental body investigated and levied a penalty on your company for a privacy event of a violation, especially with new regulations such as GDPR and CCPA granting consumers increased rights with regard to their personal information. Another cyber risk area is FTC privacy consent decrees and their respective fines or penalties.
How dependent is your organization on technology to operate? Network business interruption coverage provides a solution for companies that face an operational cyber risk.
When your network or the network of a provider that you rely on to operate goes down due to an incident, you can recover lost profits, fixed expenses, any extra costs incurred during the time your business was impacted.
This includes loss arising from:
- Security failures, like a third-party hack.
- System failure, such as a failed software patch or human error.
This provides coverage for intellectual property infringement, other than patent infringement, resulting from the advertising of your services. It often applies to both your online advertising, including social media posts, as well as printed advertising.
Errors and Omissions
A cyber event could keep you from fulfilling your contractual obligations and delivering services to your customers. E&O covers claims arising from errors in the performance of or failure to perform your services.
This can include technology services, like software and consulting, or more traditional professional services like lawyers, doctors, architects, and engineers.
E&O coverage addresses allegations of negligence or breach of contract should this occur and can include legal defense costs or indemnification resulting from a lawsuit or dispute with your customers.
Cyber Insurance Enhancements
It’s true that most cyber policies contain some combination of the above coverage elements with the basic insuring agreements covered up to the full policy limits.
But beyond the basic insuring agreements, there are numerous available coverage additions that are typically added to provide better coverage.
The following enhancements are generally available and sublimited to an amount less than the full policy limit.
Social engineering coverage is designed to protect companies from funds transfer fraud situations. The most common example is an employee duped into sending money from your bank accounts to a malicious hacker.
Social engineering coverage can also be found on most modern crime insurance policies, sometimes at higher sub-limits and broader coverage than on a cyber-specific insurance policy.
Reputational harm is the continuing profit impact of a cyber event due to brand reputation damage. This is usually limited to a specific time period and includes aversion to a brand following a publicized cyber event, such as a privacy event or security breach.
This enhancement covers the replacement cost of technology equipment that is rendered useless by a malware attack. If your laptop or server becomes as useful to your corporate network as a masonry brick, you’ll know where to look for coverage.
Cyber Insurance: What’s Typically Not Covered
- As with all insurance policies, there are exclusions that are important to understand. Cyber insurance policies generally do not cover:
- Potential future lost profits.
- Loss of value due to the theft of your intellectual property.
- Betterment: the cost to improve internal technology systems, including any software or security upgrades after a cyber event.
- Be aware that the standard property, general liability, and directors and officers liability insurance do not typically provide any cyber liability coverage.