How to Shop for Cyber Insurance
|April 24, 2014
Cyber insurance can be an extremely valuable asset in an organization’s strategy to address and mitigate cyber security, data privacy and other risks. However, selecting and negotiating the right insurance product can be a challenge because of the lack of standard language and issues with "off-the-shelf" policies. Roberta Anderson, a member of K&L Gates’ firm’s global insurance coverage and cyber law and cybersecurity practice groups, offers the following tips to help facilitate the selection of the proper policy.
- Get a Grasp on Risk Profile and Tolerance: Companies need to have a thorough understanding of its risk profile, which the scope and type of non-public personal information and confidential corporate data that is maintained. This includes understanding how data is used, transmitted and stored, as well as who uses and sends the data. A complete understanding of the risk profile also entails evaluation of the organization’s IT infrastructure and practices and assessment of potential threats to the organization’s (and its vendors’) network security. An organization should also assess its potential exposure in the event of a data breach or network security incident. When an organization has a grasp on its risk profile, potential exposure and risk tolerance, it is well-positioned to consider the type and amount of insurance coverage that it needs to adequately respond to identified risks and exposure.
- Look at Existing Coverage: The California federal district court’s recent decision in Hartford Casualty Insurance Company v. Corcino & Associates et al, upholding coverage under a commercial general liability (CGL) policy for a data breach that compromised the confidential medical records of nearly 20,000 patients—underscores that there may be valuable privacy and data breach coverage under “traditional” insurance policies, including under the “Personal And Advertising Injury Liability” (Coverage B) of a typical CGL policy. There may also be valuable coverage for data breach and network security liability and network security failures under an organization’s commercial property, D&O, E&O, professional liability, fiduciary, crime and other coverages.
- Purchase Cyber Insurance As Needed: In response to decisions upholding coverage for data breach, privacy, network security and other cyber risks, the insurance industry has added various limitations and exclusions purporting to cut off the “traditional” lines of coverage. Although the full reach of the new exclusions ultimately will be determined by judicial review, and it may take some time for the new (or similar) exclusions to make their way into CGL policies, the exclusions provide another reason for companies to carefully consider specialty cyber insurance products. Even where insurance policies do not contain the newer limitations or exclusions, insurers may argue that cyber risks are not covered under traditional policies. As far as data breaches are concerned, cyber policies usually provide some form of privacy coverage. This coverage would typically provide defense and indemnity coverage for claims arising out of a data breach that actually or potentially compromises confidential personally identifiable information. A policy offering the privacy coverage will often offer coverage for civil, administrative and regulatory investigations, fines and penalties and, importantly, will commonly offer “remediation” coverage (sometimes termed “crisis management” or “notification” coverage) to address costs associated with a security breach. In addition to the main coverages, insurers increasingly offer complimentary pre- and post-loss risk management services, which can be valuable in preventing as well as mitigating attacks.
- Spotlight the “Cloud”: Cyber risk is intensified by the trend in outsourcing of data handling, processing and storage to third-party vendors, including “cloud” providers. The Ponemon Institute’s 2011 Cost of Data Breach Study, published in March 2012, found that more than 41% of U.S. data breaches are caused by third-party errors. Many “off-the-shelf” cyber policies, however, purport to limit the scope of coverage to the insured’s own acts and omissions (not the acts and omissions of third parties) and to network security threats to the insured’s own network or computer system. This may result in illusory coverage.
- Remember the Cyber Misnomer: Keep in mind that many data breaches are not electronic. They often result from non-electronic sources. Data privacy laws do not distinguish between a breach resulting from a network security failure or a breach on account of stolen paper records from a closet. Neither should a cyber insurance policy. A solid policy will cover non-electronic data—such as paper records—and provide coverage for physical breaches resulting from the theft of a laptop or loss of a USB drive, for example.
There are many other considerations and points to focus on. There is an array of cyber products on the marketplace, each with their own insurer-drafted terms and conditions, which vary dramatically from insurer to insurer—even from policy to policy underwritten by the same insurer. Because of the nature of the product and the risks that it is intended to cover, Anderson said successful placement requires the involvement and input, not only of a capable risk management department and a knowledgeable insurance broker, but also of in-house legal counsel and IT professionals, resources and compliance personnel—and experienced insurance coverage counsel.