Companies of all shapes and sizes understand the importance of general commercial liability coverage. But, with the unprecedented rise in cyber attacks—particularly against businesses that collect and store the personal, medical, or financial data of their customers—how many companies have invested in the necessary cybersecurity insurance coverage? PwC estimates that cyber insurance premiums will reach $7.5 billion by the end of the decade. However, not all cybersecurity insurance policies are created equal, and companies must evaluate their unique risk profile and pay careful attention to how their insurance carrier defines key terms in their policies.
Cyber attacks resulting in customer data breaches are almost certain to invite litigation and, depending on the context, government regulatory investigation. For publicly-traded companies in particular, data breaches can prompt high-profile and costly shareholder derivative litigation that, regardless of whether the company successfully defends the litigation, is highly disruptive. In one of the most noteworthy cases in recent years, Target Corp. was sued by shareholders over a 2013 cyber attack resulting in one of the largest data breaches ever reported. A federal judge in Minnesota dismissed the litigation in July 2016, but not before the company had reported nearly $300 million in cumulative expenses incurred since the breach, only $90 million of which was covered by Target’s insurance.
So, how do you determine what cybersecurity policy is best for your business? There is any number of factors to consider, but start by asking the following five questions.
- What minimum cybersecurity measures must your company implement for the policy to take effect? So-called “minimum required practices” exclusions prevent the insured from recovering on the policy if it is determined that the insured did not implement adequate procedures and risk controls to defend against cyber attack. What constitutes “minimum required practices” can vary significantly between and among policies. Companies should clearly understand the definition of this exclusion in their policy and ensure that they are meeting or exceeding the standard. Companies should consider policies that clearly enumerate the required practices and negotiate that language with members of the company’s IT department who are more likely to understand what minimum required practices are possible given the company’s existing technology infrastructure. Also, consider whether your company is subject to any industry-specific laws or regulations that your carrier could argue would set a floor in terms of cybersecurity best practices. For instance, the New York State Department of Financial Services’ new rule requires certain financial services sector companies to maintain risk-based cybersecurity programs. The failure of a company to follow that rule might be considered by their insurance carrier to be a per se trigger of the policy’s minimum required practices exclusion.
- What types of cyber events trigger coverage and when does coverage commence? Some cybersecurity insurance policies do not cover liability sustained from the mere breach of a company’s customer data; rather, coverage applies only if that data is published or otherwise made publicly available. If your policy is triggered only in the event of publication, then also determine whether the identity of the publisher affects your coverage. In Zurich American Insurance Co. v. Sony Corp. of America et al., 651982/2011, New York Supreme Court Judge Jeffrey K. Oing ruled that Sony’s insurance carrier did not have to defend the technology company in lawsuits stemming from the 2011 cyber attack on Sony’s PlayStation network. In that case, the hackers had published the user data online, not Sony, and according to the court the policy required that Sony commit the act of publication. The court ruled that coverage for publication liability could not be extended to publication by third parties, including the perpetrators of the attack. Companies should also consider a retroactivity provision that covers any unknown cyber intrusion or attack that commenced before the policy was signed. In many cases, a cyber attack may have been commenced months or years before it is identified or data is stolen.
- What aspects of your company’s technology infrastructure are covered by your policy? Carriers are increasingly excluding coverage for cyber attacks resulting from the loss of a cell phone or laptop, or data theft in which an employee misplaces a thumb drive or other electronic storage device. Companies where employees have remote server access or frequently work outside the office should ensure that its policy defines the origin of the cyber attack or data loss with sufficient breadth to cover all likely eventualities.
- Against what types of legal actions is your company insured and how much control will your company have to respond to those actions? In the immediate aftermath of a cyber attack or data breach it is difficult to determine exactly what types of legal liability the company will face in the coming weeks, months, and years. Depending on the gravity of the situation, it is safe to assume that companies will face civil litigation, but will the incident also result in a government investigation or even criminal charges? Do your company’s existing contracts mandate that customer disputes be settled using alternative dispute resolution, such as arbitration or mediation, and will your cybersecurity policy cover those eventualities? Relatedly, does your policy require insurance carrier pre-approval before you take certain actions in defense of cyber-related claims? Time is often of the essence when it comes to cyber attack, so you want to ensure that your policy does not hamstring your company’s ability to respond.
- Finally, does the perpetrator or motivation of the cyber attack matter? Even robust cybersecurity insurance policies tend to be geared toward inadvertent data breaches or cyber attacks perpetrated by criminals with financial motivations. Many insurance policies include exclusion clauses for cyber attacks committed by governments or terrorist organizations or with the intent to cause physical harm. Companies, particularly those operating in the energy and infrastructure markets, should consider whether they need protection beyond data-related liability if a cyber attack could result in physical damage or loss of life. Congress passed the Terrorism Risk Insurance Program Reauthorization Act of 2015 to extend government-backed reinsurance of terrorism coverage. However, the government program is triggered only under a limited set of circumstances.
In 2017, more and more general liability policies will include cybersecurity-related coverage, but in many cases a supplemental and tailored cybersecurity-specific policy is warranted. Companies should evaluate their risks, compare cybersecurity insurance policies, and consult with an expert before purchasing insurance for protection from cyber attacks.