Cyber incidents and attacks, whereby hackers target companies for ransom to obtain sensitive information, or for other reasons, are a significant and growing threat. In 2021 alone, cyber incidents caused roughly $6 trillion in losses, and the consensus is that the threat of incidents will remain strong. Corporations are increasingly seeking insurance against this risk, but coverage for cyber incidents is still a relatively new and rapidly changing field. In this post, we focus on key considerations for general counsel, chief technology officers and cyber security officers when it comes to cyber insurance and protecting against cyber risk.
Does my company need cyber insurance?
Getting cyber insurance is a unique business decision for each company weighing a variety of factors, but virtually every company faces risks from cyber incidents. Although cyber breaches involving customer or consumer data tend to get the most attention, even companies that collect no sensitive customer or consumer information may fall prey. For one thing, companies may possess private, sensitive information about their employees, including medical or pension information. Moreover, companies may have proprietary information or trade secrets that hackers would want to get their hands on.
In fact, many dangerous and costly cyber incidents actually do not involve the theft of sensitive personal information, because the risk of disclosure of any data of value to a company may be used as extortion leverage. Ransomware can encrypt a company’s data and information systems, and attackers then demand a ransom from the company to restore access. Finally, companies may be targeted as a means of obtaining access to the systems of third parties doing business with the targeted company, which may expose the target to liability to those parties as well as its own incident response and data restoration costs. This explains why the risk is so widespread.
It is important to note that cyber coverage alone is not intended to – and cannot – provide all the data security and privacy protection a company needs. Rather, companies should consider how insurance fits into their broader risk management and incident response strategy, including training and data management policies that can help avoid a cyber incident in the first place.
What kinds of policies cover cyber risks, and what do the policies actually cover?
As with any insurance policy, it is important to have a clear understanding of what your corporation’s cyber risk policy actually says. For example, a policy may define covered legal costs more narrowly than the types of costs a company might expect to incur in response to an incident. Or there may be separate, lower limits for certain categories of costs or losses. Or the policy may require insurer consent before incurring certain costs. There may even be broad categories of cyber-attacks that are carved out by exclusions; for example, insurers have argued that coverage for state-sponsored cyber-attacks should be barred by the common exclusions for war or terrorism. And while such arguments have met resistance in the courts, Lloyd’s of London has said that it will start asking insurers to exclude state-sponsored attacks from cyber policies sold through its marketplace.
In addition, the role of insurance in a corporation’s cyber risk management strategy need not be limited to specialized cyber policies, not least because the types of costs and liabilities that can arise from a cyber incident may be very broad. For example, kidnap and ransom policies may provide coverage for ransomware attacks (although these policies are increasingly excluding such incidents). Similarly, property insurance may be available to cover the loss and/or replacement of affected hardware, as well as lost business income to cover the time an affected policyholder is unable to operate. Liability coverage also may be available to respond to lawsuits and investigations arising from a data breach, including D&O coverage for claims of gross negligence by directors for failing to prevent a cyber incident.
How much coverage do I need?
Cyber incidents can be very costly. Companies that have experienced a data breach may be subject to regulatory enforcement from multiple agencies and affected jurisdictions, and fines can reach hundreds of millions of dollars depending on the agency, the number of people affected and the circumstances of the breach. Data breaches can also give rise to liability from lawsuits filed by those whose information was stolen – whether individuals or third-party commercial partners – and from derivative actions by shareholders.
In addition to the risk of liability, the costs of responding to a cyber incident may be very substantial: legal and crisis management advice; forensic investigation into the source and scope of a cyberattack; replacement of corrupted equipment and other information technology infrastructure; and extortion payments. An affected company can suffer substantial income losses due to business operations being curtailed or suspended entirely due to a cyber incident, not to mention potential reputational costs.
Like the decision whether to get coverage, how much coverage to get is a business decision based on various factors, including how much coverage a company can afford and the capacity available in the insurance market. A reputable broker should have proprietary tools and information on what peer companies are doing and other means to help make that determination.
What is the deductible or retention under my cyber insurance policy, and what costs count toward it?
Like most insurance policies, cyber policies will usually have a deductible or retention – an amount of loss that the policyholder is responsible for that must be exhausted before the insurance kicks in (this article uses the terms “deductible” and “retention” interchangeably). The amount of the deductible will depend on a number of factors – what the insurance market is willing to offer, what the company needs, and how much more expensive the premium will be for a lower deductible.
Just as understanding what is and is not covered under a company’s policy is an important part of effectively managing cyber risk, so too is understanding what kinds of costs and loss will count to exhaust the policy deductible. In particular, the policyholder should be wary of attempts by insurers to argue that any cyber losses it recoups from sources other than insurance should be added back onto the deductible. Courts have recently rejected such arguments, but this will likely lead some insurers to make changes to their policy forms, and any given case will hinge on the particular policy language at issue.
Companies should also be aware of their insurance policies’ notice obligations and any requirements to seek prior consent from their insurers before retaining counsel or other incident response vendors. All policies require policyholders to notify insurers of claims or potential claims and often require that notice be given as soon as the insured knows of an incident that may give rise to a claim. The requirements for giving notice can vary significantly from policy to policy. Many states’ laws require strict compliance with these notice provisions, and late notice can potentially lead to loss of coverage that would otherwise be available. In addition, many policies require the insured to seek consent from the insurance company before engaging attorneys or others to help respond to a cyber incident. Policyholders subject to such provisions should request consent from their insurers as soon as possible to avoid incurring costs that may not count toward their retention or be covered.
What insurance do vendors and other third parties have, and does it cover the company?
Very often, a company that finds itself the victim of a cyber-attack will not itself have been the direct or initial target. Rather, a threat actor may have hacked a company’s vendor or other counterparty and used the counterparty’s access or received information to target the company. Ideally, the vendor will have insurance that also covers your company for risks arising from their being hacked, although you cannot assume that they will due to the difficulty many smaller vendors have in obtaining coverage in the market and the inherent difficulty in policing another company’s insurance programs. And when contracting with a vendor, don’t rely solely on their representations about the coverage they have; if possible, you should actually seek to review their policy (not just a certificate) to confirm that the coverage conforms to any insurance-procurement requirements in vendor contracts and that you will be covered. (By the same token, make sure that you have any coverage you are supposed to have for your contracting partners pursuant to your contracts with them.)
Unfortunately, cyber incidents are likely to continue to be a major source of risk for corporations no matter their size or business. Understanding the role that insurance can play in mitigating that risk will be a critical part of managing it.