As the graphic below illustrates, security liability coverage is one of the four basic coverages available in typical cyber policies.
System security liability coverage exists to respond to the insured’s liability to third parties resulting from cyber attacks on the insured’s computer system or the computer system of a third party operated on behalf of the insured.
So what kind of cyber attacks are covered? Generally speaking, good policies cover loss resulting from:
- A third party’s unauthorized access or use of the computer system;
- Malware, spyware, viruses, etc. in the computer system (e.g. the NotPetya attack);
- A denial of service attack;
- The computer system being used to attack computer systems of others.
Cyber attacks such as these can give rise to a variety of claims. A few examples:
- A company that hosts e-commerce web sites suffers a denial of service attack. Its customers’ web sites become inaccessible and the customers lose money and sue the insured.
- On online gaming service is attacked and taken down. Subscribers bring a class action because the system is inaccessible.
- A franchisor provides IT infrastructure for its franchisees. A cyber attack impacts the franchisees and causes them to lose business. The franchisees sue.
- Malware causes destruction of customer data. Customers sue.
- An insured’s computer system is hacked and used to infect a third party’s system with malware. The third party brings suit.
A cyber attack may result in a breach of private data, but such a breach is not necessary to trigger system security liability coverage.
It is important to understand what system security liability coverage won’t do.
System security liability coverage won’t cover the insured for its own losses. If an attack results in a theft of money or other property from the insured the coverage will not respond. Companies typically need to look to their crime policies to cover that loss.
System security liability coverage won’t cover the insured’s cost to recreate lost or corrupted data. While the coverage will respond to losses sustained by a third party if data is lost, it will not cover the insured for amounts spent to recover data. That loss can be covered under another type of cyber coverage that I’ll talk about in a later post.
Finally, system security liability coverage will not cover the insured’s cost to investigate and remediate the cyber attack. A good cyber policy should cover that loss under a breach event cost insuring clause if purchased.