It seems that a week does not pass without a story concerning some type of cyber attack grabbing the headlines. In July, the Office of Personnel Management disclosed that hackers stole sensitive information about 21.5 million people in a breach of the federal government’s background-check database. In March, Primera Blue Cross announced that up to 11 million customers could have been affected by a cyber attack in which hackers accessed members' names, dates of birth, Social Security numbers, mailing and email addresses, phone numbers, and bank account information. In February, Anthem, one of the nation’s largest health insurers, said hackers breached a database that contained as many as 80 million records of current and former customers, as well as employees. As these stories continue to multiply, more companies are purchasing insurance policies to protect confidential data. Here are some basics involving cyber insurance policies.
1. Cyber insurance is a fairly new product. The first policies did not appear until the late 1990s. The relative “newness” of these types of policies has at least two implications. First, there are significant coverage differences. A company considering a cyber insurance policy needs to look carefully at the specific coverage offered, and because of the significant differences, comparison shopping by price may be difficult. Second, the market is constantly changing. As new claims are reported, new risks are analyzed. So what seems like a decent policy one year may not even be offered the next.
2. In general, there are two categories of risk and liability that cyber insurance covers. There is “first-party risk/coverage,” which protects against loss or damages that your company incurs because of a cyber attack. This would include forensic investigation coverage, physical damage or data loss/restoration coverage, business interruption coverage for your computer network, and losses based on stolen/ransomed data based on a breach. There is also “third-party risk/coverage,” which covers losses or damages that occur to a third party as a result of a data breach. This would include litigation expenses, crisis management expenses, and credit monitoring and notification costs and expenses. Typically, when analyzing risks, companies will divide risk into first- and third-party coverage and then focus on the specific risks in each category.
3. Next, a company must decide how much coverage is needed. Unfortunately, there is no consensus on how much coverage to obtain, what is an appropriate deductible, or even how to determine coverage liability. Some basic benchmarking data exists. For example, some studies indicate that over the past few years, the average organizational cost of a data breach of 100,000 records (or less) was about $6 million dollars. One simple method in determining coverage limits is to focus on the amount of sensitive records a company possesses, then multiply this count by some average cost per record figure. So, if your company estimates that an average cost to respond to a data breach is $250 per record, and your company has 100,000 confidential records, a $25 million policy limit may be appropriate.
4. Finally, do your homework before purchasing cyber insurance. A breach may go unnoticed for some time before a claim is made. Counsel should consider requesting retroactive coverage to cover unknown breaches that occurred before the policy inception date. Your company may also have limited cyber coverage under your CGL policy, crime policy, or technology errors and omission policy. Coordinating these coverages is important. Finally, read the fine print. Certain exclusions may be written too broadly for your needs, and given the fact that these policies are still evolving, it is important to learn exactly what is covered to ensure your risks are properly mitigated.