What is Cyber Insurance?
Cyber insurance is designed to mitigate losses from a variety of cyber incidents, including data breaches, business interruption, network damage and more. There are a variety of things that can go wrong for a business while doing business on the internet.
Cyber liability insurance policies protects businesses that host personally identifiable information or private data on their network. Companies that provide software as a service (SAAS), web hosting services or data storage services are considered high risk for targeted cyber attacks.
Data breaches are becoming more and more common in the “information age”, so much so that Forbes Magazine anticipates that cyber liability insurance will become nearly universal in the next few years. The rise in cyber insurance policies will raise the need to consider cyber subrogation on carrier losses on these policies.
Cyber insurance policies include both first-party and third-party coverage. Cyber liability insurance is unique in that the policyholder is covered for the unintentional acts, errors, omissions and breaches of duty caused by third-parties or online “service providers.”
What is typically covered by a Cyber Insurance Policy?
The types of first-party coverage may include:
- Theft and fraud insurance covers destruction or loss of the policyholder's data as the result of a criminal or malicious cyber attack, including theft of trade secrets, proprietary data, credit card information and/or transfer/theft of funds.
- Forensic investigation which covers the legal, technical and/or forensic services costs necessary to ascertain and assess when, where, and how the cyber attack or security breach occurred in the first place. A good forensic investigation could help you uncover the source of the attack.
- Business interruption insurance compensates the business owner for any income lost during the mitigation and restoration period after the cyber attack or security breach occurs. Companies can lose significant amounts of revenue and take a huge hit to their reputation when a cyber attack shuts down the online business.
- Extortion coverage reimburses for costs associated with the investigation of threats to commit cyber extortion and for payments to extortionists who threaten to obtain and disclose sensitive information unless they are paid money.
- Computer data loss and restoration covers physical damage or loss of computer-related assets, including the costs of retrieving and restoring data, hardware, software or other information destroyed or damaged as the result of a cyber attack.
The types of third-party coverage may include:
- Litigation and regulatory covers the costs associated with being involved or named as a defendant in a civil lawsuit, paying judgments that result, covering the amount of civil lawsuit settlements and/or paying penalties levied by any regulatory agencies resulting from a cyber attack.
- Regulatory response covers the legal, technical and/or forensic services that may be necessary to assist the policyholder in responding to governmental inquiries relating to a cyber attack including fines, penalties, investigations and/or other regulatory actions.
- Notification of breach covers the costs to notify customers, employees and/or other victims affected by a cyber attack, including providing any notices that may be required by law. For example, California has a breach notification law whenever a computer system is compromised including situations where identity theft could result.
- Crisis management covers the cost of public relations and reputation management campaign and advertising costs necessary to restore the company's reputation and business goodwill after a cyber attack.
- Credit monitoring covers the costs of credit monitoring, fraud monitoring and/or other related services to customers or employees that are affected by a cyber attack or data security breach.
- Media liability. Provides coverage for media liability that could arise.
- Privacy liability. Provides liability coverage to employees or customers against breach of privacy claims.
What type of events trigger a company to file a claim?
- The transmission of a virus to a third party. Example: A security gap in your software let a virus onto your client's machine and it spread to all your client's email contacts and deleted the client's data.
- The misuse, disclosure, or theft of confidential information stored on a network. Example: Inadequate network security allowed a hacker to access private client, customer or employee information.
- Infringement or breach of customer or employee privacy. Example: The security software developed and sold by your company was vulnerable to an outside attack that allowed hackers to access private information on your clients network.
- Lost or stolen intellectual property. Example: An employee's laptop containing proprietary software code and client information was stolen and exploited by a hacker.
- Financial loss arising from a data or privacy breach. Example: hackers gained access to a movie studio's network and uploaded a movie that was not released to the public. The movie was downloaded over a million times before it was removed from the internet. The movie was finally released but ticket sales were lower than expected causing a financial loss to studio.
Liability can be difficult to prove in cyber insurance claims. The cyber world is much younger and may not have applicable industry codes, (like plumbing, or electrical codes used in determining property claim liability). In many cyber insurance cases, the general concept of “reasonableness” might in some cases emerge as the standard of care when analyzing cyber liability claims. Insurers want clients that understand the threat landscape and have demonstrated their ability to mitigate an attack through use of strong encryption, complex passwords, firewalls, periodic system upgrades, and intrusion detection/protection systems. The online business or eBusiness that seeks to minimize its risk needs a strong understanding of these information privacy and security standards.
The “reasonable applicable standard” for example was applied in Cotton Patch Café v. Micro Systems. In this case Micro Systems sold Cotton Patch Cafe a Point of Sale (POS) system for the restaurants credit card transactions. The POS system that Micro Systems sold to Cotton Patch Café contained software that was not validated against the standard created by VISA. The outdated software gave hackers access to the data embedded on the back of the customers credit card. Micro Systems breached the applicable standard of care and was liable for the damages caused by this breach.
In cases where the hacker may not be a viable source of recovery, insurance companies will consider whether the computer product/software supplier or network security company fell below the standard of care which allowed the criminal act to occur. A good cyber security expert can help you explore whether or not certain vendors may have breached industry standards and basically left your a company open to attack.
The high costs of cyber losses
Legal fees and costs associated with security breach lawsuits can add up quickly. In Home Depot's case, lawsuits were filed within days of the breach being announced. In a litigious society, especially in California and at times in Arizona where our law firm practices insurance subrogation law, lawsuits can be filed for even the most minor damages.
The reality today is that a compromise of personal information will likely result in some sort of unexpected costs to the breached organization. General liability insurance is not designed to respond to these expenses and the few gaps that do exist in cyber insurance policies are quickly being closed by insurance companies, recently noted by cases involving P.F. Chang's and Sony. One of the best choices available for protection from the financial consequences of a data breach is with a cyber insurance policy.
Who provides cyber insurance coverage?
There are a lot of insurance companies that offer cyber liability insurance.
Approximately 25 insurers offer cyber liability insurance with coverage for both first-party and third-party losses. Cyber liability insurance coverage (CLIC) has been available in the market for around 10 years. Longtime providers of cyber insurance include:
- The Hartford
- ACE Group
- Philadelphia Insurance Company
- Ascent Underwriting
- Chubb Group of Insurance Companies
- CUNA Mutual Group
- Freedom Speciality Insurance
- Liberty International Underwriters
- OneBeacon Professional Insurance
- XL Group
- Zurich, NA
Contact a West Coast Cyber Liability Litigation Firm
The Law Offices of Steven C. Vondran, P.C. has a legal practice area in the area of cyber insurance litigation and subrogation. We have a cyber loss insurance subrogation recovery practice that helps carriers seek recovery for losses due to cyber extortion, breach of network security, data loss, reputational damage, and loss of privacy cases. Cyber loss payouts can be staggering and some sources estimate average losses to be approximately $900,000 per incident. We can help your firm investigate and seek to determine whether or not you have ability to recover from potential tortfeasors.
In every subrogation case, we perform a detailed initial investigation and work with the right experts. We also understand the importance of preserving evidence, and taking steps to create a legally defensible “chain of custody.” We do everything we can to help position your case for success from the date of loss, and continue this through pre-litigation negotiation, and on through trial where required. We can be reached for free initial consultation at (877) 276-5084 or by filling out the form below.