Cyber Liability Insurance

Traditional property and casualty insurance products have insulated themselves from cyber issues. The standard commercial property policy uses small sub limits to limit the exposure to cyber losses. The Business Owner (BOP) takes a similar approach. General Liability defines computer data as an intangible property, so it would not meet the coverage trigger for property damage. This leads to the insurance industry creating specialized insurance products for cyber exposures. We will take a look at the most common policies and what they are intended to insure.

First Party Insurance

The intent of first party insurance is to cover expenses that are incurred by the named insured that are caused by a cyber event.

Privacy Notification and Crisis Management Expense Coverage

is a first party policy to provide for a response to a data breach. This coverage can provide for engaging a forensic specialist to determine the origin of the breach and to make recommendations to secure the system and prevent future breaches. If you are required to notify affected parties of a breach, this coverage can provide services or offset expenses related to this notification procedure. The extent of this effort will be in proportion to the number of affected individuals and the extent and type of data compromised. If Personal Identifiable Information (PII) was compromised, you may be obligated to provide credit monitoring and identity theft restoration to affected individuals. Some polices include a referral to service providers as part of the coverage. The policy may provide funds or services related to public relations to address reputational damage from the breach. This is a “no fault” type of insurance and does not require an admission of liability to trigger coverage.

Coverage can be added to first party programs to include losses from:

1. Business interruption

2. Data loss or destruction

3. Computer fraud

4. Funds transfer loss

5. Cyber extorsion

These perils are named to fill in for exclusions or items sub limited on standard policies.

Regulatory Defense and Penalties Coverage

is a first party coverage to provide funds for defending the named insured against local, state, and federal regulators who may assert that regulations regarding data security or privacy have been broken. Data breaches do not respect state lines, so a single breach could bring regulators from multiple state calling. Some policy forms can cover the fines and penalties assessed. This is an unusual coverage as most insurance policies exclude fines and penalties

Third Party Liability Insurance

Third party liability coverage is intended to protect you from the damages sought by others for your acts or omissions in regard to cyber events.

Information Security and Privacy Lability

coverage is intended to provide insurance to answer claims from parties whose privacy was compromised or who suffered some damages related to a data breach or network security issue with your systems. This is a true third-party coverage to address losses sustained by others as a result of your cyber event.

Typical Exposures are:

1. Loss or theft of PII from systems under your care, custody, or control

2. Damage caused to data in another party’s computer system

3. Use of your systems in a denial-of-service attack

4. Failure to make timely disclosure of a breach

5. Failure to comply with your own privacy policy in relation to PII of others

6. Failure to implement or administer governmentally required controls to protect PII or respond to a data breach. This is a true liability policy and your responsibility for the actions or omissions is in evidence.

Limits of Insurance

The insurance products mentioned above will have specific occurrence limits and aggregate limits shown on the policy. Many of the cyber policies have modest limits for these exposures and your exposure may be more significant than what is offered.

The risk management steps of scanning the environment and analyzing risk are key elements of your analysis. What is the scope of your data exposure? How many records? What is the nature of this data? Does it include PII? Does it include banking and credit card information? Does it include personal health information? Is the data you seek to protect constitute trade secrets of Intellectual Property that could impact your business if lost?

You must have a frame of reference to establish the scope of the exposure and the potential costs to make a decision about how to treat the risk. Part of that treatment is setting an appropriate limit.

The Driehaus Difference

Our review of your insurance program will include a cyber review. No business that has data or is connected to the internet is immune from cyber exposures. We will help you identify and quantify your exposures so you can make an informed choice of treating the risk. To reach our team of insurance professionals, call 513-977-6860 or contact us via our website at www.driehausins.com