Liability and damages arising out of “cyber” events present one of the greatest risks facing small and large businesses in the coming years. In fact, a recent study suggests that roughly 1 in 5 small businesses (those with 200 or fewer employees) will be hacked and, among those hacked, about 60 percent will go out of business within 6 months. Despite the increased prevalence and catastrophic consequences of this risk, there is not yet a standard form policy for cyber insurance offered through Insurance Services Office, Inc. (“ISO”) or anyone else. And while certain commercial policies may have previously provided limited coverage for damages arising out of a cyber event, the recent trend among insurers has been to exclude such coverage in non-cyber policies (e.g., CGL, D&O, etc.), effectively forcing their insureds to purchase stand-alone cyber policies.
What the insureds may not realize is, without a standard policy, cyber insurance coverage can vary dramatically from one carrier to another. Each manuscripted policy includes distinct coverage grants, definitions, and exclusions, preventing an apples-to-apples comparison. So insureds should not choose a particular cyber policy based primarily on quoted premiums and limits. The details of the coverage simply can’t be ignored. On the bright side, however, cyber insurance coverage is heavily negotiable and can be enhanced significantly with little or no change in premium. You just need to know what to ask for.
But before evaluating a particular cyber insurance policy, a company should take a close look at the specific risks it needs to protect against. In the case of a data breach, common costs include (1) investigation and mitigation by IT professionals; (2) notification to customers/clients, along with help desk and/or credit monitoring services; and (3) civil and/or regulatory penalties. Most cyber policies offer some form of first- and third-party coverage for these risks.
Components of First-Party Cyber Coverage
a. Forensic Investigation Coverage
Immediately after a data breach, a company will usually incur significant costs in hiring IT consultants to identify the nature and scope of the problem, and to contain it. These costs are not typically covered by any other type of insurance policy.
b. Crisis Management Costs
These costs may include the hiring of public relations consultants and/or attorneys to help craft an appropriate company statement, notify customers, and comply with data breach notification laws in the wake of data breach.
c. Business Interruption
This coverage typically protects against a complete cessation of business, as opposed to a reduction in business, as a result of a cyber event.
d. Data Loss and Restoration
When a company loses its own data as a result of a data breach, the costs of hiring IT consultants to restore the data can be enormous. Pay close attention to whether this coverage is subject to a sublimit.
e. Computer Fraud
Computer fraud coverage protects against loss sustained by the insured through the fraud of a third party. Be sure that the coverage applies to fraud committed by authorized users and is not limited solely to hacks by unknown third parties.
f. Cyber Extortion Coverage
This is by far the most interesting area of cyber insurance coverage. It comes into play where hackers obtain confidential customer or business data and demand a ransom in exchange for the safe return of the data. This is, unfortunately, becoming a more common occurrence. The recent events involving the infidelity-promoting website, AshleyMadison.com, reflect a type of cyber extortion in which the hackers threatened to expose, and in fact exposed, the confidential identifying information of Ashley Madison’s customers. Rather than demanding money, the hackers demanded that the website be taken down to avoid exposure of the customer names and information.
Components of Third-Party Cyber Coverage
a. Notification/Credit Monitoring Costs
Many states, including California, require that businesses notify customers within a certain period of time following discovery of a data breach. In addition, certain states require a business to pay for credit monitoring for the affected customers, typically for up to one year, where customer credit card or other financial information has been compromised. For businesses in possession of customer payment information, it is imperative that the cyber policy includes coverage for notification and credit monitoring costs.
b. Data Breach Notification and Privacy Litigation
This coverage provides for the defense and indemnity of lawsuits brought by affected customers following a data breach.
c. Online Defamation, Copyright and Trademark Infringement
This coverage provides for the defense and indemnity of certain categories of litigation outside of the context of a data breach.
d. Regulatory Defense and Penalties
Cyber policies are somewhat unique in providing coverage for the defense and indemnity of regulatory investigations and prosecutions. Other commercial insurance policies typically exclude coverage for regulatory action.
Non-cyber policies may provide certain liability coverage (although the trend is to exclude cyber liability from non-cyber policies), but will not cover (1) loss containment and restoration expenses; (2) voluntary notification expenses; (3) public relations expenses; (4) notification and credit-monitoring expenses; (5) regulatory defense costs and penalties; or (6) cyber extortion costs.
Key Coverage Areas and Definitions
The first item to examine in a cyber policy is the precise type of data that is covered. Are physical files covered? What about files that are stored via third-party cloud services? If these types of files are not covered, the company should either confirm that it has protection through other policies or indemnity agreements with the cloud provider (highly unlikely) or, preferably, obtain endorsements to the cyber policy to achieve the necessary coverage.
Another issue is whether fraudulent acts committed by authorized users are covered. And be mindful that courts, particularly those in New York, have interpreted certain computer fraud policy language as not including acts committed by an authorized user. For example, in Universal American Corp. v. National Union Fire Ins. Co., 2015 WL 3885816 (N.Y. Jun. 25, 2015), the New York Court of Appeals held that an $18 million scheme in which medical providers submitted fraudulent claims through a health insurance company’s computer system was not covered under the company’s financial institution bond. Although the bond covered “loss resulting directly from a fraudulent entry of electronic data or computer program info,” the Court determined that the medical providers’ entry of claim information was authorized (albeit bogus) and, therefore, not fraudulent. The lesson here is to avoid coverage language that is at all vague and susceptible to misinterpretation.
In the absence of a standard policy, insurers have employed different definitions for terms like “Application,” “Event,” “Loss,” and “Wrongful Act,” among others. These differences can be dramatic. Consider the following three definitions of an insurable event:
- NEWSWORTHY EVENT means an event that has been caused by a claim or loss, or incident that might reasonably lead to a claim or loss under one of the coverages, which the Assured has purchased, that has been publicized through any media channel, including television, print media, radio or electronic networks, the lnternet, and/or electronic mail.
- PRIVACY EVENT means any act, error or omission which, in the reasonable opinion of an Executive Officer did cause or is reasonably likely to result in the unauthorized disclosure or the unauthorized use of Protected Information.
- FIRST PARTY INSURED EVENT means: 1. a Computer Violation, Computer Fraud, Funds Transfer Fraud, E-commerce Extortion or Computer System Disruption; or 2. with respect to Insuring Agreements D and E, a Wrongful Act. SINGLE FIRST PARTY INSURED EVENT means: 1. an individual First Party Insured Event; or 2. multiple First Party Insured Events that have as a common nexus, or are causally connected by reason of, any fact, circumstance, situation, event or decision. A Single First Party Insured Event will be deemed to have occurred at the time the first of such First Party Insured Events occurred whether prior to or during the Policy Period.
While the policies containing these definitions are not necessarily designed or marketed for the same risks, the differences are still striking. I can tell you that, from the policyholder’s perspective, the second definition for “Privacy Event” appears straightforward and reasonable, and actually affords the insured input into the coverage determination. It will be interesting to see how long the insurer actually continues to use this definition in its policies. On the other hand, the third definition may be just as reasonable, but will require the review and cross-referencing of several other defined terms before we can know for sure. The main point to take away is that cyber policies offered by different insurance carriers often vary dramatically and do not lend themselves to an apples-to-apples comparison. Before making such an important purchase, a company should be sure it understands what the policy does and does not cover.
Some of the key exclusions to be aware of include the following:
- Bodily Injury/Property Damage
These types of damages are more commonly covered by CGL and other policies. If the CGL policy excludes coverage for damages arising out of a cyber event, however, there could be a gap in coverage if the cyber policy excludes damages for bodily injury and property damage. For example, privacy claims based on a data breach frequently seek damages for emotional distress. Accordingly, the insured should request an exception to the bodily injury exclusion for these specific types of damages claims.
- Fraudulent Acts/Intentional Misconduct
Most insurance policies exclude coverage for damages arising out of the insured’s own intentional and/or fraudulent conduct. Cyber policies are no different. But allegations of intentional misconduct are easy to assert and often times misplaced. Businesses can and should insure against the risk of baseless allegations, which are just as costly to defend against. Therefore, the insured should require that any fraud exclusion not be triggered until after the excluded conduct is determined through a final, non-appealable adjudication, much like in a D&O policy.
- Damages Caused by Insiders/Employees
Many cyber events are caused, either inadvertently or intentionally, by an insured business’s own people. For this reason, an insured should always attempt to limit the insider/employee exclusion to intentional acts. An insured can also obtain coverage for the excluded intentional acts as part of a crime policy, or occasionally by paying for enhanced coverage through the cyber policy.
- Prior Acts
Cyber policies exclude coverage for events that predate the policy date. This can be problematic given that a virus or malware can be introduced into a computer system and not detected for months, if not longer. In these situations, which are not at all uncommon, you can bet that an insurance company is going to deny coverage of the cyber claim. It is, therefore, critical that the insured negotiate for a retroactive policy date of at least one year before the initial coverage placement.
- Laptop/Portable Electronic Device
Many cyber policies exclude events caused by infected laptops or portable electronic devices (i.e., smartphones). But this exclusion can (and should) typically be removed if the insured agrees to encrypt the data contained on these devices.
- Acts of “Terrorism”
The determination of whether a cyber event constitutes “terrorism” within the meaning of a cyber policy exclusion should not be left to the eye of the beholder, particularly where the beholder is an insurance company. And virtually any computer hacking event can be characterized as an “act of terrorism.” So the best practice is to insist on the removal of this exclusion.
- Mechanical/Electronic Failure
Many cyber policies exclude coverage for damages caused by mechanical or electronic failures. But these failures can sometimes be caused directly or indirectly by computer viruses. To avoid having an incidental mechanical or electronic failure complicate coverage of an otherwise-straightforward cyber event, the insured should require that the exclusion provide an exception for mechanical and electronic failures caused by computer viruses.
- Failure to Follow “Minimum Required Standards”
This type of exclusion allows the insurance company to determine, after a claim is made, that an insured did not comply with certain data security standards and practices. While the standards are established ahead of time and provided to the insured, in my view this exclusion is unreasonably rigid and a potential land mine that insureds should avoid at all costs. Under this exclusion, the failure to download an updated security patch within a certain time frame, or the failure to regularly reassess and enhance network security exposure, may give an insurer grounds to deny or challenge coverage. In fact, one insurer has already done just that.
In Columbia Casualty Company v. Cottage Health System, No. 15-cv-03432, an insurer brought an action for declaratory relief against its insured following its agreement to fund a $4.1 million settlement of a data breach class action lawsuit. In the declaratory relief action, Columbia Casualty Company sought reimbursement of the settlement funds on the ground that the insured failed to follow “Minimum Required Practices” dictated by the policy. That case is still pending in the U.S. District Court for the Central District of California, but already serves as an example of how insurers plan to take advantage of the “Minimum Required Standards” exclusion. Regardless of the outcome, the insured is now forced to defend its data security practices a second time, something it surely believed it would be insured against when it purchased the policy from Columbia Casualty. I would highly recommend avoiding cyber policies containing this exclusion.
I recently attended a presentation at which a commercial insurance broker shared the results of a recent survey. The survey reported that roughly 10-15% of businesses have cyber insurance coverage. That is a remarkably low number. In my view, for the vast majority of businesses, cyber insurance is truly an essential product without which the business is playing Russian roulette. Indeed, roughly 60% of small businesses that are hacked will go out of business within 6 months.
While the need for cyber insurance is clear, the ideal policy and coverages are anything but. It probably won’t be long before there are one or more ISO forms for cyber policies. But until that time, businesses need to pay close attention to the important differences among the available policies and evaluate which policy best addresses its specific exposure to cyber liability. Businesses should also keep in mind that the coverages and exclusions in these policies are heavily negotiable, allowing businesses to obtain significantly enhanced coverage with little or no increase in premium. So be sure to squeeze every last ounce of coverage out of your cyber policy. The existence of your company may ultimately depend on it.