Cyber Liability: Maybe Not for Fred Flintstone, But for Everyone Else?
Cyber liability insurance. Do I need to buy it? Unless your company is not using electronic data, hello, Fred Flintstone, the answer is likely yes. What types of activities make your business vulnerable to data breaches and cyber-attacks? What coverage may you typically find in a cyber liability policy? Cyber liability coverage is increasingly important for any business that uses electronic equipment to conduct its operations. That means virtually everybody.
Do you do one or more of the following:
• Communicate with customers via email, text messages or social media
• Send or receive documents electronically
• Advertise your company via electronic media, such as a website or social media
• Store your company's data on a computer network. Examples of company data are sales projections, accounting records, tax documents, and trade secrets.
• Store data that belongs to others (such as employees or customers) on a computer network. This data may include customer names and addresses, customers' credit card numbers, employees' birth dates and social security numbers, and other sensitive information.
• Sell products or services through a company website
These activities can help your business or organization operate efficiently. Yet, they also generate risks. Additionally, you could incur large out-of-pocket expenses to repair or restore lost or damaged data.
Cyber liability insurance covers lawsuits stemming from events such as data breaches, the inability to access data, or the failure to adequately protect data from thieves. Such lawsuits are not covered by a standard commercial general liability (CGL) policy.
For one thing, damage to electronic data does not qualify as property damage under a CGL policy. Why? Electronic data is not considered tangible property. Secondly, most CGL policies contain a specific electronic data exclusion. This exclusion eliminates coverage for claims "based on the loss, damage or corruption of data or the inability to use it."
Suppose that a virus invades your computer network and damages a client's data which you have taken responsibility to maintain. Perhaps, you are the bookkeeper. As a result of the virus, your client is not able to access records needed for a loan or to document a contract. He sues you for the damage to his data. The suit will not be covered by your CGL policy. Property damage was not at issue.
Cyber liability policies protect businesses against lawsuits filed by customers and other parties that result from security or privacy breaches. While these policies have been in the market for almost 20 years, there is still not a common form or policy language among the forms used by the dozens of insurers who now offer cyber liability policies. Recently, one expert in the area gave brokers who sell cyber liability a grade of C-. If those experts have a C- knowledge of the policy coverages, can you imagine what grade he would give the risk managers and business owners who buy such coverage?
Virtually all of the forms are written on a claims-made basis. The claim of a data breach or other any cyber related libel or slander, invasion of privacy, or infringement of copyright and other intellectual property rights must occur during the policy period.
Most of the forms provide coverage for claims asserted against you by others, known as third-party liability. Now, many cyber policies also cover various first-party expenses, which are your own damages from a cyber incident. Here are examples of the coverages that are often included (or available):
• Business Income and Extra Expense covers income you lose and expenses you incur due to a full or partial shutdown of your computer system because of a cyber-attack, virus or other insured peril. This coverage differs from business income and extra expense insurance that are available under a commercial property policy.
• Loss of Data covers the cost of restoring or reconstructing your data that was lost or damaged due to a virus, hacker attack or other covered cause.
• Associated Costs covers costs you incur due to a data breach. Examples are the cost of notifying affected customers as required by law, and the cost of providing credit monitoring to affected customers. Often as part of these notifications, fines and penalties are imposed. These fines and penalties can be expensive and there is discussion among carriers as to the rationality for covering such "damages" as they are intended as punishment or a deterrence to others. Such costs are historically not insured. In the event of a breach of private health information, identity monitoring is more important to those who may have had their health records exposed than is credit monitoring.
• Cyber Extortion covers the costs associated with a cyber ransom threat. For example, a cyber-criminal threatens to exploit a security flaw in your computer system or shut down your system with a denial of service attack unless you pay him or her a sum of money. Normally, they demand payment in bitcoins or cyber currency.
Some policies have been developed for the specific needs of technology companies while some are designed for health care organizations. Some insurers offer a range of coverages on an "a la carte" basis. This enables insurance buyers to select the coverages they need the most. Although, this can confuse the unsophisticated buyer or broker who may not select the right coverages.
Your agent or broker can help you obtain cyber liability insurance. The application is likely to ask detailed questions about your firm's computer system and how it is secured. Although, while in the past, carriers often did an audit of the security in place by prospective insureds, those are occurring less and less often. Insurers normally inquire about the following:
• Firewall Does your system have a firewall?
• Virus Scans Do you scan email, downloaded content or portable devices for viruses?
• Responsible Person Who is responsible for network security?
• Security Policy Do you have a written security policy?
• Protection Software Is your system protected by anti-virus software? Do you use intrusion detection software?
• Remote Access Do employees, customers or others access your system remotely? If so, what system is in place to authenticate users?
• Sensitive Data What types of sensitive data (social security numbers, credit card information etc.) do you store on your computer system? Is the data encrypted?
• Access Do you control access to sensitive data?
• Data Controls Testing Do you periodically test your data control measures?
• Data Backup and Storage Do you back up your data daily? Where are the backups located?
By Keith Daniels
Gloss