WHAT DOES CYBER INSURANCE COVER?
Many of the world’s biggest insurance companies are now offering policies of this type, but many people are still confused as to what they will cover
We have talked a lot about the various cyber-threats that are common today. For all of its usefulness, the internet can sometimes be a minefield. Worst of all, due to the actions of hackers and other criminals, it is possible for a company to incur devastating damage through no fault of their own.
When you look at it this way, you realize that it’s not a bad idea to have a cyber-specific insurance policy. Many of the world’s biggest insurance companies are now offering policies of this type, but many people are still confused as to what they will cover and how they work. Let’s delve into this subject and see if we can relieve some of your confusion.
WHAT IS CYBER LIABILITY INSURANCE?
Cyber liability insurance is an insurance policy that is meant to protect an individual or company (usually a company) from the results of a data breach. This might include the costs of lawsuits from those whose data was leaked, the cost of notifying those affected, or the damages incurred to the reputation and productivity of a company.
As you can already tell, there is a lot of variation between these policies. In fact, it seems that every insurance company offers a slightly different variation on this theme. Next, we will look at a few examples of these policies so that you can understand them a little better.
EXAMPLES OF CYBER INSURANCE POLICIES
Let’s look at three of the most popular cyber insurance plans out there so that we can see what they offer. We are certainly not recommending any of these policies, nor are we trying to criticize them. Instead, we present them as examples from which you can learn.
First, let’s examine the Cyberchoice First Response policy from The Hartford. This policy requires you to report data breaches and network breaches immediately in order for them to be covered. They must be filed as either a “data privacy wrongful act” or a “network security wrongful act.”
In the event that the insured has to go to court over a data breach, this policy pays all defense expenses and regulatory fines. It also covers incident response fees and ransomware payments (as well as any other type of cyber extortion). The policy will pay for any business lost due to data breaches, and that covers a lot of ground. All in all, this is a very extensive policy that offers a lot of options.
For a second example, we might look at the Cyber Risk Coverage policy offered by Traveler’s. As you can see, the terms are quite similar to those found in our first example. In exchange for the premiums, the insurance company pays for any legal consequences that may result from a data breach. This includes both legal defense payments and fines/judgments made against the client.
One thing that separates this policy from The Hartford’s policy is the fact that it covers “suspected” data breaches. Thus, if you have good reason to believe that a cyberattack has taken place, you can claim the expenses that it took to investigate the matter. Like the other policy, it covers data recovery costs and extortion payments. However, it also covers “betterment” costs. After a data breach, the natural response is to harden your security and close any known vulnerabilities. As we see here, the expenses of doing so might be covered by a policy like this one.
WHO NEEDS A CYBER INSURANCE POLICY?
Obviously, not everyone needs a policy of this type, but just about any business can benefit from one. The sad truth is that any business, whether large or small, has the potential to be hacked. The only question lies in whether or not a hacker will find it worthwhile to try.
You might think that small businesses have no need to worry, but this is not necessarily the case. Instead of giving you hollow assurances, let’s look at some data. Verizon puts out a data breach investigative report every year, and its statistics are considered to be pretty reliable.
As you can see, large businesses were the targets in roughly 72% of cases. Small businesses were targeted in about 28% of these cases, so it would seem that a small business is less likely to be targeted. However, here’s the thing: When a small business does get hacked, they are more likely to go out of business. They just don’t have the kind of money that it takes to weather all that fallout.
Obviously, the average private individual does not need to worry about this kind of insurance. Unless you happen to be a remote worker who is involved in handling large amounts of personal data, you probably don’t need to worry about large-scale damage from a data breach.
THINGS YOUR CYBER INSURANCE MIGHT COVER
These policies will cover the same kinds of things, but there will be a lot of variation from one to the other. However, any good cyber insurance policy should contain two different types of coverages: First-party and third-party.
So, what is the difference between the two? Basically, they represent two different kinds of risks, which is why they are classified separately. The names indicate the party with whom the claim is filed. Thus, a first-party claim is one that you file with your insurance company. A third-party claim, on the other hand, is one that you file against someone else and their insurance company.
EXAMPLES OF FIRST-PARTY CYBER CLAIMS
After a data breach, companies will often go on a public relations blitz to minimize the damage to their reputations. These expenses can be claimed under most cyber insurance policies.
Cyber attacks often result in serious damage to the company’s hardware or software, but many insurance companies will cover these costs.
Federal and state laws dictate that individuals must be made aware of data breaches (if their data is involved). Of course, notifying that many people also involves substantial costs, and these can also be claimed.
Cyber attacks often involve a lot of downtime, and that means lost revenue. Although there are likely to be limits on this, most cyber insurance policies will cover this kind of thing.
The payment of ransomware notes is also usually treated as a first-party claim. This is because you cannot realistically sue the hackers.
EXAMPLES OF THIRD-PARTY CYBER CLAIMS
If the hacker or hackers can be positively identified, you may wish to initiate claims against them. Although this kind of situation is not common, it would definitely be classified as a third-party claim.
If someone should happen to file a breach of privacy lawsuit against you, your cyber insurance will probably cover the costs.
Fines from the government and other regulatory bodies will also fall under the umbrella of third-party coverage.
If someone should file a claim of slander, libel, or copyright infringement against you, it will probably be covered. It simply has to be related to a data breach in some way.
If your security wasn’t very good, you might have to worry about negligence lawsuits, but cyber insurance should also cover these.
If your company should run afoul of regulations (like payment card industry standards), and if that non-compliance is the result of a data breach/hacking act, it can probably be dealt with under third-party coverage.
Thankfully, most cyber insurance policies can be customized to suit your particular needs. Your company should offer you a number of optional coverages, and you will have to decide if these extras are worth the rate increase.
THINGS THAT ARE USUALLY NOT COVERED BY CYBER INSURANCE
We have already mentioned “betterment costs,” which include any and all measures taken to improve security after a breach. Overhauling your whole IT security scheme is not likely to be free or cheap, so it’s good that some policies will cover these expenses. However, you should understand that most policies will not do so.
Of course, there can be a fine line between “recovery costs” and “betterment costs.” Thus, you should make sure that you read your policy thoroughly and understand where that line lies. Most insurance companies also won’t cover theft of your intellectual property or the financial consequences thereof. It’s not unheard of for a policy to cover that, but most companies seem keen to avoid those disputes.
As a general rule, you cannot claim money that you have not yet lost. That is to say, you cannot try to claim profits that will be lost in the future, even if they are a direct result of the data breach. You will usually be limited to claiming the damage that was present at the time that the claim was filed. Also, you are probably not going to be able to claim most physical damage under a cyber policy. Thus, if your computer was “bricked” by a recent attack, you may have to replace it on your own dime.
Bodily harm claims are also not covered under cyber insurance plans, but why would they be covered anyway? Theoretically, someone could have a heart attack from the stress caused by a cyberattack, or they might even fall out of a chair and hit their head, but these are not the kinds of claims for which you buy a cyber insurance policy. These kinds of things would be covered by general liability policies or by a commercial property insurance plan.
Social engineering hacks can also be a dicey issue. Because these hacks are technically the result of user error, some insurance companies are very wary about covering their results. In case you don’t know, social engineering hacks are those that involve tricking a person into giving up key information.
For instance, instead of trying to hack someone’s password (which isn’t always possible), attackers might masquerade as a member of their company’s IT department and trick the victim into giving up those crucial passwords. Although some policies will protect you against this sort of thing, you should not rely on that. The prevention of social engineering hacks is something for which you must take personal responsibility.
THE IMPORTANCE OF POLICY DEFINITIONS
When you are reading your cyber insurance policy for the first time, you should make sure that you understand everything that is written therein. Otherwise, you could very easily end up having your claims denied on a technicality. Obviously, some terms are so obvious that they require no explanation, but you should ask detailed questions about any terms in the contract which are not clearly defined.
The understood definition of a particular term can have pretty serious legal ramifications, as we can see by looking at the case of Larry Silverstein. He was the owner of the World Trade Center (before it was destroyed by terrorists), and he profited very handsomely from that disaster. The law allowed him to receive 3.5 billion in claims, but he attempted to get twice as much by claiming each hijacked plane as a separate event.
What followed was a convoluted and dicey legal battle over the exact terms of the policies, and over which policies were considered “in effect” at the time of the incident. In the end, Mr. Silverstein did not get his extra money. However, this case serves as a glaring example of how policy definitions can make or break a particular claim.
Cyber insurance is a very versatile thing, and so it is hard to predict what you will find as you negotiate your first policy. However, the basic purpose of this insurance is very simple, and that is to protect you and your company from the fallout of a high-profile data breach. Many companies have gone under because they couldn’t handle that fallout, so there is no doubt that these services are needed. If you would like to know more about these and other fine services, you can call PCH Technologies at (856) 754-7500.