Sarasota Insurance Agency >> blog
Several recent, large-scale cyber events, including both data breaches and cyber attacks, demonstrate that companies, both large and small, must protect themselves against the risk of a cyber event. Cyber insurance policies can be an effective means of mitigating such risk, and with the average cost of responding to a data breach or cyber attack now in excess of $6 million, the decision to obtain such a policy is not necessarily a difficult one. But finding the right cyber insurance policy can pose a much more challenging task.
Although traditional CGL policies may, in limited circumstances, still provide coverage in the event of a data breach or cyber attack, relying on such policies to cover cyber liabilities has become increasingly risky and uncertain. In fact, many insurance companies now require the exclusion of cyber liabilities from CGL policies. Indeed, although the Fourth Circuit recently held, in Travelers Indemnity Co. v. Portal Healthcare Solutions, LLC, 644 Fed. Appx. 245 (4th Cir. 2016), that the insured's CGL policy provided coverage against a lawsuit for the alleged digital publication of private medical information, that holding will only serve to further motivate insurers to require specialized cyber insurance policies.
For a number of reasons, the process of selecting the right cyber insurance policy is unlikely to be as straightforward as picking between traditional providers for an auto insurance policy. Instead, because of the lack of standardization in the cyber insurance industry, a company in the market for cyber insurance is likely to find countless variations in coverage offerings. Although this lack of standardization provides opportunity to negotiate coverage options, it also makes comparing policies and finding coverage suitable for specific business needs more difficult, and creates a risk of obtaining a policy with critical gaps in coverage.
Consequently, before acquiring a cyber insurance policy, a company should be sure to first develop a complete understanding of the cyber risks specific to its business, thoroughly evaluate the extent to which its cyber insurance policy options cover those risks, and consult with a broker and legal counsel to make sure that it obtains a policy that adequately covers the types of risks that actually matter.
The two main types of cyber risk coverage that companies generally consider include first-party coverage and third-party liability coverage:
First-Party Coverage can cover direct costs associated with responding to a cyber event, such as the unintended disclosure or loss of personal information, the theft, destruction, or loss of data caused by a crime or fraud, and the introduction of malware or viruses. Cyber events such as these can give rise to a number of significant costs including, among other things, costs for:
Third-party liability coverage can cover costs associated with claims, lawsuits, and regulatory inquiries arising from a cyber event, including, among other things, costs for:
The cyber insurance market is filled with policies providing different combinations of these coverage types, so developing an understanding of each is a critical step in selecting a cyber insurance policy. A company armed with this understanding, along with knowledge of cyber risks specific to its business, can more effectively determine which of its cyber insurance policy options best suits its needs.
Companies in the market for cyber insurance should also consider the provisions, disclaimers, and exclusions in each of its cyber insurance policy options. Here are some examples of questions that companies should ask themselves in doing so:
Although cyber insurance can provide broad protections in the event of a cyber attack or cyber breach, companies should also put in place sufficient internal cyber security measures to limit the chances that a cyber event happens altogether. By doing so, a company can limit the chances of being hit by costs unlikely to be covered by cyber insurance, such as reputational harm, loss of future revenue, and costs to improve internal technology. And as an added benefit, by increasing preparedness for a cyber event, a company can make itself a more attractive prospective insured and find better rates and better coverage.
Data breaches and cyber attacks can be extraordinarily costly events, both for a company's bottom-line and its reputation. Companies should therefore be sure to take a well-rounded approach to protecting themselves that includes, at the very least, a cyber insurance policy tailored to its specific needs and internal cyber security measures designed to limit their chances of falling victim to a cyber event. And should a data breach of cyber attack occur, it is important to coordinate with legal counsel to ensure that a claim is presented to maximize coverage.
Do you own a business with online transactions? If you haven’t thought about cyber insurance, give WFL a call today and we can help you understand why it’s important to consider.