Jun 23, 2016

Cyber insurance 101: What you need to know

In a data breach, damage can be extensive. Networks and servers can be damaged; data can be lost; and third parties could have their private information compromised. These broad-ranging risks can generally be put into two categories of losses: first-party losses and third-party losses. First-party losses are those losses to property or business interests sustained by the insured itself. The classic example of first-party insurance is property insurance, which insures physical property against loss from fire or other calamity. Third-party losses, on the other hand, are those sustained by unrelated parties, who in turn blame the insured. Third-party insurance therefore protects the insured against third-party claims. Cyber policies are typically written as hybrid policies insuring both first- and third-party interests and are designed to provide protection for the range of damage that can be inflicted by a data breach.

So what types of coverage are available for a policyholder under a cyber policy?

The types of first-party coverages can be broad, but vary widely policy to policy and carrier to carrier. Generally, however, most policies provide coverage for first-party losses from breach response and notice costs, to fees for breach counsel. Sample first-party coverages include:

  • Breach response: These insuring clauses cover costs to pay a computer security expert to determine the existence and cause of any electronic data breach resulting in an actual or reasonably suspected theft, and costs associated with forensic experts to determine the extent of suspected compromise. Included in the coverage may also be the fees of breach counsel to comply with the breach notice law, PII, costs of notice, call center and credit monitoring costs.
  • Crisis management and public relations: This coverage provides assistance with managing the public relations side of a breach, employing crisis management consultants and the costs restoring public confidence.
  • Business interruption: Covers loss associated with the unavailability of the network.
  • Cyber and network extortion: This clause covers loss as a result of threats to commit an intentional damaging act against the network or computer system for the purpose of demanding money or other property, or a threat to disclose personal identifying information.
Cyber policies also typically offer a variety of coverage for third-party claims, which include defense and indemnification rights. Some sample third-party coverages include:

  • Coverage for internet-related defamation or media liability incurred as a result of publication on the insured’s website;
  • Information security and privacy coverage for theft or disclosure of personal identifying information, or loss or corruption of that data;
  • Network security coverage that covers damages to third-party as a result of the loss;
  • Coverage for third-party regulatory action brought by government body for failure to follow regulatory requirements and penalties associated with those mistakes; and
  • Notification and credit monitoring costs for third parties.

Other important features and considerations

Proper and timely notice is an important condition precedent to coverage under a cyber policy. What constitutes proper notice under the first- and third-party coverages will differ. With respect to first-party losses, cyber policies are “discovery” and reported-based policies. In other words, the policy only applies to cyber incidents that are initially discovered by the insured and reported to the insurer during the policy period. With respect to third-party liability, cyber policies are “claims-made” policies. This means that the policies apply only to a “claim” first made against the insured and reported during the policy period. Both types of notice typically must be provided as soon as practicable. As with other insurance policies, in order to preserve coverage, it is important to ensure that notice is provided in a timely manner.

Cyber insurance contains some common exclusions of which insureds should be aware. Insurers may exclude loss related to unencrypted data, data sent (and then lost) by third-party contractors, certain types of regulatory claims, circumstances arising before the retroactive date of the policy, or claims related to laptops. Policyholders should carefully read and understand the nature of data-related exclusions. Insurers also typically exclude from all insurance contracts loss arising from intentional acts (subject to a final adjudication), prior wrongful acts or those that the insured had knowledge of at the time the policy incepted, claims arising out of one insured against another insured, and loss covered by other insurance policies.

When purchasing cyber insurance, policyholders should consider how important it is to have the ability to select consultants and outside vendors. Some policies will require that insurer-approved professionals (including attorneys) be hired to assist with the data breach. Others may allow the insured to choose. These choices may come at a cost of additional premium. Insureds should also understand and be aware that certain types of loss may be subject to a “sublimit.” A sublimit is the most the insurer will pay for a defined type of loss, notwithstanding the total limit of liability.

Please contact us for further information about how to protect your business with cyber insurance.

This Chuhak & Tecson, P.C. communication is intended only to provide information regarding developments in the law and information of general interest. It is not intended to constitute advice regarding legal problems and should not be relied upon as such.

Client alert authored by: Kristen E. Hudson, Principal