by Amanda Kelley
With recent data breaches at major retailers making headlines, businesses are aware of cybersecurity threat. As FBI Director Robert Mueller recently stated, “there are only two types of companies: those that have been hacked and those that will be. And even they are converging into one category: companies that have been hacked and will be hacked again.” However, what businesses may not be aware of is that data breaches are not just the result of hackers, but may be caused by employee mistake, unauthorized access by a former employee, or theft of a company device. Further, a company’s high-risk data is not limited to just customer credit or bank account information, but also includes information possessed by every small or medium sized business, such as employee Social Security and driver’s license numbers.
The wide breadth of potential cyber risks is accompanied by the prospect of large expenses that can be fatal to a business. As indicated by the Ponemon Institute’s most recent study, the costs of a data breach continue to rise. In 2013, the average cost of a corporate data breach increased 15 percent to $3.5 million, and the average cost for each lost or stolen record containing sensitive or confidential information was $145. The harm suffered by a company as a result of a data breach is not strictly limited to monetary damages, but extends to brand reputation, customer loyalty, and a myriad of new privacy statutes.
Given the potentially large exposure, all businesses should seriously consider insurance as a risk transfer solution. While traditional insurance policies may afford some protection, insurers now offer special cyber insurance policies that may best protect a business from the harm posed by cyber risks. While the best insurance policy for a business is a highly individualized decision, there are certain fundamental considerations for all businesses.
Before addressing cyber insurance, it is worth noting that coverage under a traditional insurance policy—directors and officers liability coverage, commercial general liability (CGL), and commercial crime—for a cyber-related loss may still be possible. For example, the standard CGL provision covering “personal and advertising injury” is commonly claimed for coverage of a data breach resulting in the theft of customers’ credit or bank account information. Or, a company may successfully argue that a cyber-attack resulting in the loss of the physical use of a company’s servers or network is covered under a policy’s property damage provision. However, insurers are increasingly adding specific exclusions denying coverage for violations of privacy laws or damages from a data breach, and courts are upholding these exclusions. In fact, last year the Insurance Service Office filed several data breach exclusionary endorsements for use with the standard-form CGL policy.
Taking into account the large number of restrictions on traditional insurance policies, companies should seriously consider cyber insurance. There are numerous scenarios that may be covered by cyber insurance that would not be covered by traditional insurance; for example, credit monitoring for customers or employees after a data breach. As cyber insurance varies greatly across carriers, companies should analyze the scope of the offered coverage and limitations before purchasing. An effective policy should cover both first-party losses and third-party losses. Together, these provisions should include coverage for the costs associated with responding to a cyber-issue, disruption to the company’s network, and potential lawsuits. Specifically, these provisions should cover: forensic services to determine the location and scope of a breach; public relations and crisis management; costs stemming from providing both mandatory and voluntary notification to customers and authorities; credit monitoring and identity theft counseling; call centers; the costs to restore a company’s data or servers; legal advice to ensure regulatory compliance; and any e-extortion demand.
In addition to coverage, a company should be aware of potential cyber insurance exclusions. For example, regulatory fines, government investigations, or criminal penalties commonly are not covered. Further, the widespread use of vendors and contractual liability exclusions may greatly impact the scope of a business’s coverage. Cloud providers pose a high-risk for a cyber-attack; a business should closely review the terms of its contracts with providers to understand the serious consequences presented by applicable indemnification provisions.
Finally, it should be noted that CGL policies and cyber insurance policies may work together. There may be additional coverage limits if both policies provide coverage for a cyber-incident, or a CGL policy may cover indemnity agreements and protect a business whose cloud provider is breached.
Amanda Kelley is an associate at Alston & Bird LLP. She can be reached at firstname.lastname@example.org.