I talk a lot about cyber insurance policies on this blog. While many readers will be familiar with those policies, some may not be. While most of you know that cyber policies cover data breaches, you may find yourself wishing you had a deeper understanding of the coverage and how the policies work. To help with that I’m starting a series of periodic posts that will explore the essentials of cyber coverage.
Let me start by saying that cyber policies are weird. They aren’t like general and professional liability policies that provide liability coverage, nor are they like property and crime policies that provide first party coverage. Cyber policies are all over the map. They cover unusual types of losses too. All of that can make them hard to understand.
A Very Short History of Cyber Insurance
When trying to understand cyber insurance it is useful to look at its roots.
Cyber insurance developed in the 1990s in conjunction with the rise of “dot.com” businesses. The policies covered lawsuits arising from breaches of the insured’s computer system security. Early policies sometimes also covered business interruption loss resulting from a compromise of computer system security.
Ironically, few companies in the US today would point to those coverages as the reasons they buy cyber insurance. Most US buyers are focused on data privacy risk.
The focus on data privacy risk can be traced to California’s enactment in 2003 of the first law requiring companies to notify affected individuals when their private information has been breached. Many states subsequently followed California’s lead, and today 47 US states, and in some cases the federal government, require individuals to be notified. The costs inherent in providing notice drove insurers to offer privacy liability and breach response coverage. That led to increased interest in cyber insurance.
There are very few mandatory notification laws outside the US. Interest in cyber insurance nevertheless has grown globally. This is being driven by concerns about cyber attacks and increasingly by regulatory regimes that encourage voluntary notification of individuals affected by a data breach.
Cyber threats have continued to multiply and become more serious. Cyber policies have evolved to cover those threats. While cyber policies are very far from being standardized, there are coverages that appear in the vast majority of policy forms.
What Does A Cyber Policy Cover?
A basic “plain vanilla” cyber policy today will cover claims resulting from data privacy and data security risks. Those aren’t the same thing.
Data privacy claims concern the improper disclosure or exposure of private information. This includes personal information, credit card information, health information, and confidential business information. Those claims are generally brought by individuals and companies whose information has been compromised, by regulators, and sometimes by law enforcement entities.
Data security claims involve loss arising from a compromise of the insured’s computer systems. This most often is the result of things like hacking into the insured’s systems, introduction of malware (programs designed to obtain unauthorized access to data or to damage data or computer systems), and denial of service attacks.
Typical Insuring Agreements
Although cyber policies can have a dozen or more different insuring agreements, as the graphic below illustrates, there are four that appear in most basic policy forms.
There are three liability coverages: (1) liability to third parties for privacy breaches, (2) liability to regulators for privacy breaches, and (3) liability to third parties for computer system security breaches.
The fourth coverage is a first party coverage that covers the insured’s costs to investigate and respond to a breach event. These include things like forensic investigation costs, costs to notify affected individuals, and costs to provide credit monitoring.
These coverages typically are provided in separate insuring agreements that may each provide a different amount of insurance. For example, a policy that provides $10 million of coverage for privacy liability claims may have a much smaller amount available, known as a sublimit, for privacy regulatory claims.
Sublimits under cyber policies need to be very carefully considered. Insurers include sublimits to help them manage their overall exposure and to attractively price policies. A sublimit is not necessarily a good reflection of the amount of coverage a company needs. While lower limits for some coverages might make sense for some companies, I’ve seen a number of claims over the years where companies ended up wishing their sublimits were higher.
I’ll talk about each of these coverages in more detail in later posts in this series.
Like D&O and other professional liability policies, cyber policies are written on a claims made and reported basis. The events that trigger coverage must take place and be reported to the cyber insurer during the same one year period that the policy is in effect. That requires a company to thoroughly understand what events the policy requires to be reported. Companies also must be extremely vigilant and diligent about reporting those events.
Compliance with a policy’s reporting requirements is extremely important to cyber insurers because of the speed at which cyber events can move, and the potential for impactful decisions to be made early in the company’s response to an event. Insurers want to be, and often have the right to be, involved at the earliest possible moment.
Cyber policies differ on the extent to which the insurer will control the response to a breach event or the defense of covered lawsuits. Some policies give the insurer the absolute right to control every aspect of the company’s response to a cyber event. The insurer will retain all necessary vendors, and will appoint defense counsel in the event lawsuits materialize. This is a feature appreciated by many companies that are unfamiliar with cyber event response. Other policies provide much more latitude for companies to select vendors and counsel they are comfortable with and to exercise greater control over the response to the cyber event. These policies appeal to companies that have spent time preparing for a cyber event and that have developed relationships with law firms and vendors that they prefer to use.
Like professional liability policies, defense costs paid under cyber policies reduce the available policy limit and sublimit. There is some divergence in insurers’ approaches to payment of first party breach response costs though. While the majority of policies treat them like defense costs that are paid from the policy limit, some insurers will pay breach response costs outside the policy limit, generally for a specified number of affected individuals.