Member Article

It seems every week, there is a new story about a company being impacted by a major data breach and the consequences that follow from such breach, including the inevitable lawsuits, public relations nightmare, and governmental investigations. These breach stories are then followed by articles about the high costs to deal with these breach events, including costs to notify consumers, to identify the source of the breach, to pay for credit monitoring, among many other costs. Eventually, "cyberinsurance" is mentioned.

Insurance carriers who provide cyberinsurance market these products under names like "Digital Technology & Professional Liability," "NetProtect 360" and "Privacy and Network Liability." This class of insurance policies is designed to provide some risk shifting for the costs associated with data breaches.

The cost of data breaches to companies continues to climb. According to the Ponemon Institute, the average total cost increased 15 percent from 2013 to 2013 to $3.5 million. The average cost paid for each lost or stolen record increased almost 10 percent from $136 to $145. U.S. companies had the costliest data breaches at $201 per record. These are averages for data breaches involving less than 102,000 compromised records, and do not include mega data breaches, such as those affecting Sony and Target, which are expected to cost those companies hundreds of millions of dollars.

The Ponemon Institute also found that the probability of a material data breach involving a minimum of 10,000 records over the next two years is more than 22 percent. Thus, this question for companies is not "will they suffer a data breach event" but, "when and to what extent?"

Most cyberinsurance products provide coverage for a combination of both first-party losses, as well as third-party liability. Policies can provide coverage for legal fees (currently, 47 states have consumer notification laws, and data breach notifications are inevitably followed by class actions) as well as costs for investigations and restoration, public relations and crisis management, business interruption, credit monitoring, and even extortion expenses.

Courts are split as to whether general liability policies cover some of these costs. However, rather than wait for courts to resolve these coverage disputes, the insurance industry has made it clear that it intends to eliminate data breach coverage from general policies.

Companies purchasing cyberinsurance policies should be careful about giving up too much control over the selection of attorneys, forensics experts and cybersecurity professionals. Many cyber policies require the use of the carrier’s designated "panel" of attorneys and other professionals who may not fully understand the unique cyber-risks of your company.

Furthermore with cyberinsurance, one size does not fit all. For companies in the financial and retail industry, theft of credit card and account information that could lead to identity theft and misuse of funds are the primary concerns. On the other hand, for ISPs and other companies with an online presence, disruptions to network access are the primary risk factors. Because the cyber-risks are unique to the policyholder’s industry, companies should consider potential differences in sub-limits, i.e., lower sub-limits for less vulnerable risks and no sub-limits for higher risk covered categories for better premium valuation considerations.

Although data breach exclusions are becoming more common in general policies, such exclusions are not yet common in other traditional policies like directors and officers and professional liability policies. For example, some recent complaints allege that the data breach events occurred due to the companies’ failure to maintain and to update cybersecurity policies, thereby triggering such policies that provide broad coverage for alleged "wrongful acts."

Because the scope of coverage and the cost of cyberinsurance can vary significantly from carrier to carrier, more than ever, companies need to involve insurance coverage counsel and experienced insurance brokers in the insurance buying process. Counsel can assist the policyholders in evaluating the unique cyber-risk profile to match the scope of coverage offered under the different cyberinsurance products in the marketplace. With the assistance of experienced counsel, policyholders, when faced with cyber losses, will be in the best possible position to present a claim that increases the chance for coverage.