• Cyber Attacks Are on the Rise: Do You Have Coverage To Protect Against Your Risks?
  • October 29, 2013 | Author: Collin J. Hite
  • Law Firm: Hirschler Fleischer A Professional Corporation - Richmond Office
  • Exposure to losses from data breaches and loss of personal information continues to rank high on the list of worries for general counsel around the country.  GCs have good reason to worry.  Marsh, one of the largest insurance brokers in the world, reports that over 600 million confidential personal records have been breached in the last five years.  Verizon’s 2013 Data Breach Investigations Report is even more telling with its opening line that in 2012 “[p]erhaps more so than any other year, the large scale and diverse nature of data breaches and other network attacks took center stage.”  The Verizon Report’s statistics are even more alarming.  Specifically, 37 percent of data breaches affected financial organizations.  The next highest segments vulnerable to cyber attacks were retail businesses and restaurants, followed by manufacturing, transportation and utilities.

    In response to the growing risk of loss from cyber and privacy violations insurers are reacting in two ways.  First, most insurers have excluded cyber risks from more traditional insurance policies such as Commercial General Liability (“CGL”).  Second, insurance companies are racing to the market with new products aimed at providing specialized coverage for such losses.  As companies of all sizes approach the calendar year-end, now is the time to analyze exposure for cyber risks and address insurance needs to close any gaps in coverage.  If GCs are as worried about losses as noted in current reports, then they should be leading the charge to address the need for cyber insurance.

    Businesses can obtain cyber insurance for first- and third-party losses.  It is critical to understand both and ensure there is appropriate coverage for both.  First-party coverage can include within its scope: 1) computer data restoration; 2) re-securing a company’s information network; 3) theft and fraud coverage; 4) business interruption; 5) forensic investigations; and 6) extortion.  Commentators note that first-party losses are usually the higher costs to a business suffering a cyber attack, so adequate coverage in this area is vital.

    Organizations also need third-party coverage as well.  Of course, most coverage in this area will provide for a defense to litigation brought by your customers for their direct losses due to a breach.  Insurance may also cover the following: 1) crisis management; 2) credit monitoring for customers; 3) the cost associated with notifying customers of a breach; 4) media and privacy liability; and 5) responses to regulatory investigations.

    As industry expert Richard Betterley noted in his report on cyber insurance, “[t]he market continues to broaden, especially in health care and the small- to mid-sized insureds segments.”  However, this is an area of insurance that the buyer must beware.  Cyber insurance is a new form of insurance that does not benefit from long-term placement in the market so that policyholders and insurers have an understanding of the scope of coverage through negotiations and court opinions.  All cyber insurance policies are definitely not created alike.  Some insurers weave the scope of cyber coverage into more traditional policies, such as CGL, D&O and E&O.  The problem with this method is that it is difficult for insureds to understand the scope of coverage and it creates shared limits of insurance that may ultimately prove too little for the exposure.  Companies need to not only conduct a thorough understanding of their risks but also simultaneously understand the scope of the cyber insurance they are placing.

    As a recent announcement from Marsh highlights, “Cyber insurance policies can fill many of the gaps in traditional insurance and provide direct loss and liability protection for risks created by the use of technology and data in an organization’s day-to-day operations.”  There is no time like the present for policyholders—large and small—to analyze their insurance programs to determine if their current insurance will cover cyber risks or if the gaps may need to be filled.  An ounce of prevention upfront from such an analysis may prevent the type of insurance fight many policyholders are facing in order to get the coverage they paid for from their insurer.