Cyber Liability Insurance
Traditional property and casualty insurance products have insulated themselves from cyber issues. The standard commercial property policy uses small sub limits to limit the exposure to cyber losses. The Business Owner (BOP) takes a similar approach. General Liability defines computer data as an intangible property, so it would not meet the coverage trigger for property damage. This leads to the insurance industry creating specialized insurance products for cyber exposures. We will take a look at the most common policies and what they are intended to insure.
First Party Insurance
The intent of first party insurance is to cover expenses that are incurred by the named insured that are caused by a cyber event.
Privacy Notification and Crisis Management Expense Coverage
is a first party policy to provide for a response to a data breach. This coverage can provide for engaging a forensic specialist to determine the origin of the breach and to make recommendations to secure the system and prevent future breaches. If you are required to notify affected parties of a breach, this coverage can provide services or offset expenses related to this notification procedure. The extent of this effort will be in proportion to the number of affected individuals and the extent and type of data compromised. If Personal Identifiable Information (PII) was compromised, you may be obligated to provide credit monitoring and identity theft restoration to affected individuals. Some polices include a referral to service providers as part of the coverage. The policy may provide funds or services related to public relations to address reputational damage from the breach. This is a “no fault” type of insurance and does not require an admission of liability to trigger coverage.
Coverage can be added to first party programs to include losses from:
Data loss or destruction
Funds transfer loss
These perils are named to fill in for exclusions or items sub limited on standard policies.
Regulatory Defense and Penalties Coverage
is a first party coverage to provide funds for defending the named insured against local, state, and federal regulators who may assert that regulations regarding data security or privacy have been broken. Data breaches do not respect state lines, so a single breach could bring regulators from multiple state calling. Some policy forms can cover the fines and penalties assessed. This is an unusual coverage as most insurance policies exclude fines and penalties
Third Party Liability Insurance
Third party liability coverage is intended to protect you from the damages sought by others for your acts or omissions in regard to cyber events.
Information Security and Privacy Lability
coverage is intended to provide insurance to answer claims from parties whose privacy was compromised or who suffered some damages related to a data breach or network security issue with your systems. This is a true third-party coverage to address losses sustained by others as a result of your cyber event.
Typical Exposures are:
Loss or theft of PII from systems under your care, custody, or control
Damage caused to data in another party’s computer system
Use of your systems in a denial-of-service attack
Failure to make timely disclosure of a breach
Failure to implement or administer governmentally required controls to protect PII or respond to a data breach. This is a true liability policy and your responsibility for the actions or omissions is in evidence.
Limits of Insurance
The insurance products mentioned above will have specific occurrence limits and aggregate limits shown on the policy. Many of the cyber policies have modest limits for these exposures and your exposure may be more significant than what is offered.
The risk management steps of scanning the environment and analyzing risk are key elements of your analysis. What is the scope of your data exposure? How many records? What is the nature of this data? Does it include PII? Does it include banking and credit card information? Does it include personal health information? Is the data you seek to protect constitute trade secrets of Intellectual Property that could impact your business if lost?
You must have a frame of reference to establish the scope of the exposure and the potential costs to make a decision about how to treat the risk. Part of that treatment is setting an appropriate limit.
The Driehaus Difference
Our review of your insurance program will include a cyber review. No business that has data or is connected to the internet is immune from cyber exposures. We will help you identify and quantify your exposures so you can make an informed choice of treating the risk. To reach our team of insurance professionals, call 513-977-6860 or contact us via our website at www.driehausins.com