All businesses, large and small, are potential targets for cyberattacks. Someone intent on doing harm can:
- Hack, steal and sell your data
- Delete or destroy your data
- Modify your data
- Encrypt your data and demand ransom
- Send fraudulent invoices or instructions to your clients or employees to redirect payments or transfers of money to a cyberthief’s account
- Exploit your company’s access to third-party systems to breach vendor, supplier, affiliate or subcontractor systems
All it takes is a missing patch, a failure to make a timely software update, a weak or shared password, an angry employee or a determined competitor—not to mention state-sponsored criminals.
Even if your cyber security controls are rock solid, what about everyone else’s? In this age of digital interconnectivity, cyberattackers can enter your backdoor through weaknesses in the systems of your suppliers, partners and customers.
Components of a Typical Cyber Insurance Program
While cybercrimes don’t occur every day, they happen frequently enough that risk managers should meet with a knowledgeable broker to assess the cyber-related needs of the business and ensure that the right types of coverages are in place. Play close attention to policy definitions as well as actual exclusions that leave your organization vulnerable.
Interested in this information but don’t have time to read it now? Complete this form to receive a PDF to read later.
Following are some of the components of a typical cyber insurance program.
Informational Security and Privacy Liability: coverage for defense costs and indemnity claims against you for alleged theft, loss or unauthorized disclosure of personally identifiable information, protected health information or third-party information, such as trade secrets or credit card information, that is in your custody and/or for which you are legally liable. It also covers you against alleged failure of your company to prevent a security breach that causes damage to data stored on your computer systems. This definition may extend to include systems operated by a third-party service provider used to store your electronic data. A third-party allegation of malicious codes having been transmitted to someone else’s computer systems or your participation in a denial of service attack directed against someone else’s computer system is also covered.
Privacy Breach Response Services/Notification/Crisis Management Costs: coverage in the event of a breach or cyberattack to reimburse you for things such as computer security expert services (e.g., forensics, prevention of future breaches), legal services, notification services (to alert anyone whose information was breached), call center services, breach resolution and mitigation services (e.g., credit monitoring, identity monitoring) and public relations expenses.
Regulatory Defense and Penalties: coverage for claims, expenses, fines and penalties that you become legally obligated to pay because of a regulatory proceeding (e.g., federal, state, local, foreign enforcement agency) brought against you for a violation of privacy law, such as by a state attorney general for violation of a state data breach notification statute.
Other Fines and Penalties: coverage for other civil fines and penalties arising out of a cyber peril (e.g., loss of consumer information or data protected by HIPAA, GDPR, etc.), to the extent insurable by law.
Payment Card Industry (PCI) Fines, Expenses and Costs: coverage for contractual claims made against you under a merchant service agreement (credit and debit card payments) for fines, expenses, assessments and other costs. Note that the insurer will not defend these claims.
Website Media Content Liability: coverage for damages and expenses resulting from claims made against you by third parties for covered acts committed while displaying materials on your website or social media sites. Covered acts include defamation and other torts, violation of privacy rights, invasion of right of publicity, plagiarism, copyright or trademark infringement, and improper deep-linking.
Network Business Interruption Loss: coverage to protect you against business interruption losses sustained as a result of a cyber event or security breach data loss. Business interruption losses may include income, dependent business loss (e.g., breach of security systems of a critical contractor/vendor that in turn causes your loss), extra expenses incurred to minimize income loss and consequential reputational damage (loss of future income).
Cyber Extortion Loss/Ransomware: coverage for extortion payments and related expenses resulting from threats (e.g., malware, ransomware) made during a policy period. This generally covers threats other than those made by the company’s own officers, directors, managers and partners.
Computer Data Loss and Restoration: coverage for the cost to regain access to replace, restore, reassemble or recollect any data asset (software, hardware or electronic data) that has been altered, destroyed, deleted or damaged, or that you are unable to access due to a cyberattack or security breach.
Other Related Coverages: Crime and Deception Fraud
In addition to these typical cyber coverages, risk managers should also discuss related crime and deception fraud coverages with an experienced broker or adviser. We explore some of these coverages in Part 2 of this blog.
Unlike other types of coverage, cyber insurance policy language is not standardized and can vary greatly from carrier to carrier. Further, the cyber landscape is continually changing, meaning that businesses must be vigilant in how they protect themselves against emerging threats. Hylant’s Cyber Risk Practice is here to help. Contact your local Hylant office or service team member if you need assistance.
The above information does not constitute advice. Always contact your insurance broker or trusted adviser for insurance-related questions.