A Corporate Counsel's Guide to Cyber Insurance
On an almost daily basis, you are reminded of why you should worry about the security of your company’s data and information systems. Whether it be from headlines in hard copy, broadcast, or online media, your senses have been slammed with one sensational story after another about increasingly massive data breaches. You may have even read about malware that continues to morph once it tunnels into a system, allowing it to evade detective software. You have seen serious economic and reputational damage done to businesses because cyber thugs launched an attack against their digital infrastructure. You have also seen class actions filed by consumers, derivative actions filed by investors, and enforcement actions taken by regulatory agencies.
With each new headline and regulatory settlement, you have developed an increased sense of urgency to better protect the financial health of your business as it confronts increasingly dangerous cyber threats. Where do you begin? The obvious first steps will involve the development and implementation of strategies to mitigate the risk of harm by continuously strengthening the security of your company’s information systems. Unfortunately, the technology behind the cyber threats has proven to be dangerously resilient, which means there will always be risk that cannot be mitigated by technology. What should you do about this risk? Consider transferring it to cyber insurance.
But Don’t We Already Have Policies Covering Cyber Threats?
The First Step Is to Determine the Extent of Your Current Insurance Coverage.
Many businesses mistakenly believe they have cyber insurance coverage under “non-cyber” policies. Some mistakenly believe it is covered by a commercial general liability (CGL) policy, not realizing it was excluded many years ago. As an example, in 2001, the Insurance Services Office, Inc. (ISO), a company that develops and publishes policy language for many insurance companies, revised the ISO CGL form to amend the definition of “property damage” to clarify that “electronic data is not tangible property” and, further, that “electronic data means information, facts or programs stored as or on, created or used on, or transmitted to or from computer software, including systems and applications software, hard or floppy disks, CD-ROMS, tapes, drives, cells, data processing devices or any other media which are used with electronically controlled equipment.” In 2004, an ISO CGL revision added an exclusion for damage to electronic data to complement the 2001 ISO amendment. The electronic data exclusion broadly excluded coverage for “[d]amages arising out of the loss of, loss of use of, damage to, corruption of, inability to access, or inability to manipulate electronic data.” On May 1, 2014, ISO published a new standard CGL policy form that included a data breach liability exclusion endorsement. ISO clarified that this was not a reduction in coverage because the CGL policy form was never intended to cover data breach liability. Courts have also held that the CGL policy form does not cover data breach damages or damage to electronic data.
The above-referenced policy form changes highlight the importance of working closely with your insurance broker to understand the coverages being offered as part of your insurance portfolio. Looking beyond the CGL policy form, cyber liability coverage may be offered as a part of some Errors & Omissions (E&O), Directors & Officers (D&O), Crime and Fiduciary policy forms. However, coverage for cyber-related claims is not always clearly provided by these policy forms and, if it is provided, it is typically very narrow in scope. The message from courts analyzing coverage under these policy forms is that the outcomes are unpredictable and turn on the factual allegations made and the specific policy language. The result is that none of the cases are necessarily controlling, even in their own jurisdiction, as each one can easily be distinguished on their facts. A much better approach is to clearly understand what is and is not provided for under your policies with respect to cyber-related claims before a digital crisis occurs.
Okay … It Looks Like We Need Additional Coverage, What Is My Next Step?
The Next Step Is to Identify a Knowledgeable Cyber-Insurance Broker, and Begin to Assess Cyber-Related Insurance Coverage Forms That Are Being Offered to Find The One That Adequately Meets Your Organization’s Needs.
A knowledgeable broker is one who understands your business’ cyber risks, and can do a “virtual walk through” of the possible types of data compromises that might occur. In walking through this process, you’ll want to review, as much as possible, all the areas in which your organization may be exposed to risk. Once those risks are identified, the knowledgeable broker can work with you to evaluate how the different cyber-related policy forms offered by insurance companies would apply to the different risks your business may face.
According to the 2014 Cost of Data Breach Study: Global Analysis, the average organizational cost of a data breach in the U.S. is $5.85 million. The average per capita cost of a data breach in the United States – the cost per compromised record - is $201. The average cost of data breach notification alone in the U.S. is $509,237. While it may be easy to identify the need for additional coverage, the challenge is that premiums and limits of liability vary widely, and organizations must exercise care to identify their unique risks and obtain coverage for those risks at costs they can reasonably absorb.
Let’s look at one of the most frequent cyber events today. Assume your organization processes personal information, such as credit card payment information, and imagine the types of expenses you would incur if the server used to process that information was compromised with malware. Assume you learned that all customer transactions over the previous four months had been compromised, resulting in the theft of credit card payment information for 5,000 customers. Your first expense would be for a forensics firm to assess, contain and eradicate the problem, provide any necessary analysis, and draft a written summary of its findings. Depending upon the nature of the analysis, this could cost at least $25,000 to $50,000. Your next expense would be for legal counsel to guide you through the process of identifying your legal obligations pertaining to consumer notification. This may also involve notification of regulatory officials, credit reporting agencies, merchant banks and credit card issuers. The obligations will be determined by the residential location of the affected consumers. Forty-seven states have data breach notification statutes which require notification of the affected consumers. Several of these states also require notification to a state official, often the state attorney general, any time statutory notification of a resident is required. Some states require specific information to be included in the consumer notification. One state, Massachusetts, specifically precludes certain information in the consumer notification. Violations of the consumer notification statutes are often subject to enforcement by the state attorney general. The navigation of the state data breach notification laws, the drafting of letters to consumers, regulatory officials, credit reporting agencies, merchant banks and credit card issuers, as well as any associated follow up with those notified, may cost at least $10,000 to $25,000. Since this example involves a relatively small breach, the cost would also be relatively small, but at least $35,000 to $75,000.
If more than credit card payment information was compromised, such as other financial account information or social security numbers, you would probably provide credit monitoring and/or identity theft protection services to the affected consumers. These services would involve additional notification and may cost anywhere from $15,000 to at least $25,000, depending upon the number of consumers who avail themselves of the services. If healthcare information is compromised, it may require additional notification to the Department of Health and Human Services Office for Civil Rights. Depending upon the residential location of the consumer, it may also require notification to a state public health agency, all of which would increase the cost. The more notice to regulatory officials, the more risk there is that further investigative costs, legal costs, or fines or penalties will be incurred.
The above scenarios only involve the compromise of personal information. What would happen if malware damaged your information system, shutting down your organization’s ability to generate revenue for a period of time? What would happen if the mere publication of the breach caused a percentage of customers to find another source for what they purchased from you? What would happen if you learned that malware had destroyed critical intellectual property or necessary financial data? What would happen if you received notice that an affected consumer had filed a class action against your organization, on behalf of the 5,000 affected consumers? What would that cost?
Ultimately, you and your broker must identify the unique risks that your organization may face, so that cyber-related insurance coverage can be tailored to those risks. This must take into consideration any existing coverage so that gaps can be identified and plugged with cyber-related insurance.
Once you have identified necessary areas of coverage for your organization, the likely costs of a data breach must be compared with the available limits of liability and related costs. Cyber insurance may be offered by insurers as a stand-alone policy or as an add-on to other policy forms. Where it is an add-one to another policy form, such as a D&O policy, consideration must be given to the fact that your cyber insurance limits may be compromised in the event more traditional D&O claims are charged against the policy. This may mean purchasing higher and/or independent policy limits to offset the risk of extinguishing available limits under the combined-risk policy. The limits of liability must also match the realistic exposure in the event of a data breach - and the sublimits, for things like computer forensics, data breach notification, remediation services, and responses to regulatory investigations, must adequately cover the likely costs.
What Types of Coverage Should I Consider?
Different insurance carriers may have different names for their cyber insurance products. Regardless of the names of the products, the coverage will generally fall into five categories: first party, third party, remediation, fines and penalties, and risk management.
- First-party coverage may indemnify your organization for its own data loss, income loss, business interruption costs, system damage and restoration costs, cyber extortion, crime loss (including computer fraud or funds transfer fraud), or for other direct harm to the organization resulting from a data breach or information security incident. This is often referred to as property and theft coverage.
- Third-party coverage may indemnify your organization for liability to third parties — including customers and governmental entities — arising from a data breach. This may include media liability (including copyright and trademark infringement), privacy liability to employees or customers for breach of privacy, bodily injury (certain cyber-attacks can cause physical harm), and/or defensive litigation services (to defend against class actions, derivative actions, and regulatory actions). This is often referred to as liability coverage.
- Remediation coverage typically indemnifies your organization for legal services during the response to a data breach, forensics services, crisis management services (including public relations expenses beyond consumer notification), consumer notification, regulatory official notification, credit monitoring, and identity theft protection services.
- Fines and penalties coverage may indemnify your organization for the expenses of regulatory investigations, civil judgments, fines and penalties levied by regulatory authorities, and fines and penalties for payment card industry compliance violations.
- Risk management services coverage indemnifies your organization for certain costs associated with increasing the security posture of your organization and mitigating the risk of an information security incident. This may include pre-breach planning services (incident response planning), information portals which include reference material related to mitigating the risk of an information security incident, information system penetration testing, and educational programs sponsored by the insurer. Given the potentially devastating expense of a data breach, proactive risk management services coverage may be worth pursuing.
Finally, it’s important to consider who is authorized to provide data breach response services under your cyber policy. You should ensure that your organization obtains pre-authorization for its choice of legal representation, especially if you have an existing business relationship with a law firm that has experience in providing breach response services. You can often negotiate with the insurance company to have your qualified counsel be the firm to provide your breach response services. Competent breach counsel is critical to guide your organization through the various aspects of a data breach response. Similarly, it is important to ensure that the insurance company offering the cyber policy have relationships with appropriate third party breach response vendors, which may include forensics firms, consumer notification services, credit monitoring or identity theft protection services, and crisis communication or public relations services. Negotiating for your preferred counsel and breach response vendors with the insurance company as part of purchasing the cyber policy (rather than at the time of the claim) is much more likely to result in acceptance by the insurer of your choice.
What Other Potential Pitfalls Should I Avoid?
In assessing your organization’s breach response needs, ensure that the cyber insurance policy includes sufficient occurrence and aggregate limits of liability to match the potential exposure for both first party and third party claims, considering the substantial costs associated with legal services, forensics services, consumer notification, credit monitoring or identity theft protection services, and crisis communication or public relations services. Your broker should be able to help you assess appropriate limits and, if not, should consult a qualified data breach professional to help.
It is also important to consider exclusions. As referenced above, it is critical that the types of losses incurred by your organization in a data breach not be excluded. Be very careful to review all exclusions to ensure that your policy meets the reasonably foreseeable needs of your organization.
In the event your coverage is provided on a claims-made form, it is important to identify the retroactive date of your insurance coverage. Policies often restrict coverage to losses that occur after a specific date, which is typically the inception date of the policy. This means that there would be no coverage for a loss that occurred before the inception of the policy. The challenge with cyber-related policies is that due to the nature of malware, a data compromise or breach may go undetected for extended periods of time, often at least months, sometimes years. It is therefore very important to purchase coverage with the earliest possible retroactive date.
If your organization outsources data processing or storage to a third-party vendor, it is critically important that your cyber-related insurance policy provide coverage for claims that arise from misconduct by a vendor. Your organization should also consider coverage for loss of information on unencrypted devices. Although many firms encrypt company-owned laptops, personally owned computers and storage devices are often not encrypted. It is important for organizations facing a loss of data through unencrypted personal computers to buy insurance that provides coverage for such losses.
When You Know Better, You Do Better
To couch an old maxim, “When you know better, you do better.” Knowing the risks inherent in conducting business in our digital environment, you should ensure that your organization has adequate cyber-related insurance to cover them. There is no question but that the cyber threats in our digital environment are continuing to grow in volume and impact. Your best efforts are required to mitigate risks associated with these cyber threats and their impact upon your organization’s financial health. Regardless of the security controls employed by your organization, however, substantial residual risk will remain. The technology behind the cyber threats has proven to be dangerously resilient, which means there will always be residual risk. The risk that cannot be mitigated through technology should be transferred to cyber insurance. This action will not only reflect a heightened standard of care due to your awareness of the current digital environment, but it will provide economic protection for your organization should a digital disaster occur – and it may provide you some well-deserved peace of mind.