Most IT leaders plan for cyber attacks by constructing firewalls and installing security hardware and software. They typically don’t think about cyber insurance. Even so, with the widespread proliferation of malware, companies are finding that their IT infrastructure has been attacked, customer data has been compromised, the IT system is being held for ransom, and assets are missing.
Almost every day there are reports of cyber intrusions, attacks and related security breaches. If your company does not have the right insurance, it could be even more of a disaster. For example, according to regulatory filings, at the time of Target’s cyber breach in 2014, it had about US$100 million in insurance coverage with a $10 million deductible, but that did not even make a dent in the estimated losses of $1 billion.
What company can afford not to have insurance for a potential cyber disaster? Let’s look at some protective measures that can be taken to safeguard your business.
As a practical matter, you or your chief risk officer should examine your current insurance policies to see if you have insurance protection for these cyber risks
- Network and information security liability
- Communications and media liability
- Crisis management event expenses
- Security breach remediation and notification expenses
- Computer program and electronic data restoration expenses
- Computer fraud
- Funds transfer fraud
- E-Commerce extortion
Of course, each business has its own insurance needs, so you will need to make your own decisions about the right coverage. For instance, if your company is in the healthcare industry, specific coverage for HIPAA data should be included.
Inspect Your Policies
Some insurance companies offer cyber protection as an add-on policy to general commercial liability, while other insurance companies include cyber protection in policies for cyber crime.
It would be wise to take a look at what coverage your company has, what is available, and make sure you do have cyber insurance coverage.
Whether cyber insurance is deemed a part of certain GCL policies is the subject of a declaratory judgment complaint brought by Travelers Indemnity Company in the U.S. District Court in Connecticut in October 2014. The Complaint alleged that P.F. Chang’s restaurant chain did not have cyber coverage with Travelers. Because there was no cyber coverage, Travelers claimed “that it is not obligated to defend or indemnify P.F. Chang’s…under GCL insurance policies issued by Travelers.”
It appears that Travelers filed the claim for two reasons. First, P.F. Chang’s had filed a claim for insurance coverage under its Travelers GCL policy for a cyber breach involving seven million customers’ credit and debit cards. Second, class action cases were brought by P.F. Chang’s customers in several states, accusing P.F. Chang’s of failure to prevent the breach, and breach of implied contract.
Interestingly, the breach itself began on Sept. 18, 2013. However, P.F. Chang’s was unaware of the breach until nine months later, on June 10, 2014.
It will be interesting to follow this case to see how the Court views the CGL coverage.
Examples of Cyber insurance Coverage
AIG, one of the largest insurance companies in the world, offers CyberEdge, which provides coverage for security or data breach losses as follows:
- Direct first-party costs resulting from a breach
- Lost income and operating expense resulting from a security or data breach
- Threats to disclose data or attack a system to extort money
- Online defamation
Travelers, another large insurance company, offers CyberFirst, which includes a number of related insurance coverage provisions:
- Technology errors and omissions liability
- Network and information security liability
- Communications and media liability
- Employed legal professional liability
- Expense reimbursement
How to Assess a Cyber incident
Most IT leaders plan for cyber attacks by constructing firewalls and installing related security hardware and software. However, with the widespread proliferation of malware, companies are finding that their IT infrastructure has been attacked, customer data has been compromised, the IT system is being held for ransom and assets are missing. This obviously puts a burden on the IT leadership — CIOs, CISOs and CTOs — to do an immediate assessment of what transpired:
- Identify malware within their networks
- Review logs to see when and where the cyber intruders came in
- Determine what if any data was remotely accessed
- Determine what if any data was sent off the network
- Determine whether backup files can be used to reconstruct encrypted data
Following the assessment, companies may need to report to customers, as well as to their own employees, under a variety of laws in 47 states. Plus, in addition to everything else that violated companies must do, if credit card or banking information has been compromised, they may have a legal duty to provide credit protection services for up to one year. This happens more often than people want to know.
Report the Cyber incident — It May Be a Crime
Of course, it is important that the U.S. government learns about all cyber incidents so they can investigate in order to find the bad guys. The incidents should be reported to the Internet Crime Complaint Center which is a partnership between the FBI and the National White Collar Crime Center. The IC3 defines Internet crime:
…as any illegal activity involving one or more components of the Internet, such as websites, chat rooms, and/ or email. Internet crime involves the use of the Internet to communicate false or fraudulent representations to consumers. These crimes may include, but are not limited to, advance-fee schemes, non-delivery of goods or services, computer hacking, or employment/business opportunity schemes.
If your company has a cyber intrusion, consult your lawyer first to be sure you take the appropriate steps, including making a timely cyber insurance claim.
This article was first published in the ABA Coverage Journal July-August 2014, Vol. 24, No. 4.
Unless you have been living under a rock for the past few years (without a wireless connection), you are likely familiar with the countless news stories that unfold every day reporting seemingly fantastic tales of cyber security espionage, hacker attacks, and myriad other data security and privacy breaches that have affected millions of people and companies across the globe. In fact, you might be one of the victims. As the Heartbleed episode demonstrates, no information on the Internet is truly safe.
According to some news reports, Heartbleed is a major flaw in encryption technology that is used by two-thirds of web servers. Hackers could exploit this bug to gain access to individuals’ sensitive personal and financial information. In short, all personal and corporate data are vulnerable to some extent.
Even as some companies take greater precautions to safeguard their most valuable intangible assets, including sensitive customer and business information, it seems that hackers are employing increasingly sophisticated measures to gain access to the data. Sadly, the likely reality is that, at some point in time, you or your business may experience some form of cyber attack, which comes in various size, shapes, and forms. So what’s a company to do?
The Nuts and Bolts of Cyber Insurance
Fear not; the insurance industry has not one—but numerous—cyber liability insurance policies from which to choose. The real question is what do they cover? And do you really need one?
The good news is that cyber insurance policies have become increasingly comprehensive in terms of the cyber protection they afford. The bad news is no one seem to understand them. Given the rapid evolution of this relatively young insurance product, the cyber liability policy terms seems to change almost as frequently as the latest form of malware employed by hackers. Unfortunately, many of the policies are too unnecessarily complex for their own good. Fortunately, there are some key commonalities and concepts in cyber policies that are relatively simple for the average layperson or professional to grasp.
Cyber policies typically cover claims or incidents first made and reported to the insurer during a 12-month policy period. Key coverages may include cyber-risk management tools; first-party coverage for the insured to respond to the breach; and third-party coverage for claims against the insured by third parties, including regulatory authorities and customers whose personal data have been affected. Of course, the devil is in the details with these policies—particularly the defined terms, which can read like a technical manifesto for the uninitiated.
An Ounce of Prevention with Cyber-Risk Management
According to a Carnegie Mellon University report examining how corporate boards and senior executives are managing cyber risk, directors and officers have a fiduciary duty to protect the assets of their organization. “This duty extends to digital assets, and has been expanded by laws and regulations that impose specific privacy and cyber security obligations on companies.”Nonetheless, many companies have not given much, if any, thought to cyber-risk management or prevention. As noted by Larry Ponemon, chairman and founder of the Ponemon Institute, “only a few executive officers understand security and the rest are clueless. . . . This causes a big disconnect between the people performing information security to protect an organization’s data and the top level executives at the organization.”
Indeed, according to a 2014 survey by the New York Stock Exchange, only 11 percent of boards are “very confident” of their ability to manage cyber risk. As a result, many boards are reassessing their skills in cyber-risk management. Experience in overseeing the growing threat of cyber security risk, along with information technology (IT) expertise, is fast becoming one of the key attributes that boards will consider when appointing new directors.
To increase boards’ effectiveness at managing and reducing cyber risk, Carnegie Mellon developed a corporate governance best practices checklist, which includes some of the following suggestions:
Establish a dedicated Board Cyber Risk Committee, separate from the Audit Committee, and assign it responsibility for oversight of cyber security;
· Recruit directors with security and IT expertise;
· Conduct an annual audit and testing of security and breach response programs and controls (including incident response, breach notification, disaster recovery, and crisis communication plans);
· Require management—preferably a chief information or security officer—to give the board periodic updates on privacy and security risks and the effectiveness of existing security measures and controls to ensure that any vulnerabilities are addressed;
· Require annual board reviews of budgets for privacy and security risk management;
· Evaluate potential liabilities and losses for cyber risk; and
· Review the adequacy of cyber-risk insurance coverage.
Public companies in particular should have a solid grasp of their potential cyber liability exposure because they are required under federal securities laws to publicly disclose any material risks to their business and operations. The U.S. Securities and Exchange Commission (SEC) has issued cyber security risk disclosure guidance encouraging companies to disclose actual or potential cyber risks that might be viewed as material to investors. The SEC’s sample of cyber-risk disclosures include the following topics:
|· Discussion of aspects of the company’s business or operations that give rise to material cyber security risks and the potential costs and consequences;
· To the extent the company outsources functions that have material cyber security risks, a description of those functions and how the company addresses those third-party risks;
· Description of any material cyber incidents that company has experienced in the past;
· Risks related to cyber incidents that might remain undetected for an extended period; and
· A description of relevant insurance coverage.
On March 26, 2014, the SEC hosted a roundtable on cyber security risk. As noted by SEC Chair Mary Jo White and SEC Commissioner Luis Aguilar, the SEC is continuing to study the impact of its prior cyber security risk disclosure guidance and whether the agency should be more proactive in this area to protect investors and the integrity of the U.S. financial markets. The SEC is already stepping up its efforts to police Wall Street’s cyber security preparedness by announcing the agency’s plans to conduct an in-depth examination of 50 registered broker-dealers and investment advisers. The SEC intends to use the information gleaned from the securities industry to identify potential vulnerabilities, the industry’s current efforts to address cyber risk and areas for potential cooperation between the SEC and Wall Street to mitigate the threat of cyber risk.
SEC Commissioner Luis Aguilar recently emphasized the oversight role of corporate boards with respect to cyber risk. He cautioned that “boards that choose to ignore, or minimize, the importance of cyber security oversight responsibility, do so at their own peril.” At the New York Stock Exchange conference entitled Cyber Risks and the Boardroom, on June 10, 2014, Commissioner Aguilar proposed a series of recommendations on what boards should do to ensure that their companies are adequately addressing cyber risk.
First, he suggested that companies adopt the National Institute of Standards and Technology Cyber security Framework, which is intended to provide companies with a set of industry standards and best practices for managing cyber risk. At its core, this framework sets forth five governing principles: (1) Identify critical IT systems and electronic data assets; (2) protect these systems and assets by implementing adequate security measures; (3) detect cyber security threats through continuous monitoring; (4) respond to cyber attacks pursuant to a written and tested breach response plan; and (5) recover lost, stolen, or impaired assets and services pursuant to a business continuity and recovery plan.
Second, Commissioner Aguilar encouraged boards to retain directors with IT and security expertise in order to evaluate whether a company’s management is taking appropriate steps to address cyber security issues. Third, he noted that companies should have dedicated employees whose primary responsibility is managing day-to-day privacy and security, ideally including a chief information security officer. Fourth, he emphasized that companies should have a tested and well-thought-out breach response and recovery plan in place. These plans should address when and how a company should publicly disclose a cyber attack—both internally within the company and externally to customers and investors.
Some cyber insurers in the market today offer sophisticated technology tools that can be used by companies to block and monitor unwarranted attacks and access to a company’s computer systems and network. Not so coincidentally, this technology is also a benefit to the insurer because it helps to reduce the risk of loss to its insured. However, this is by no means a standard feature of cyber coverage, and it is likely intended for larger companies in particular industries with greater perceived exposure.
More commonly, carriers offer their insureds one or more hours of complimentary access to a consultant or professional to discuss and review a company’s cyber readiness plan, which may include corporate data security and privacy policies; whether the company uses third-party providers that may have access to sensitive data; whether the company is compliant with industry standard data protection safeguards; whether the company conducts periodic audits of its network security and routinely upgrades its security measures as needed; training for employees to detect cyber threats or attacks; and identifying the company’s core team of individuals, dedicated responsibilities, and chain of command for reporting and responding to a data breach. In addition, carriers may provide companies with access to online cyber risk management tools and training. At a minimum, these risk management tools offer companies an invaluable opportunity to assess their risks and vulnerabilities before an attack.
First-Party Cyber Coverage: Investigating and Containing the Loss
Of course, access to cyber-risk management tools does not replace the comfort that comprehensive first-party coverage can provide in the event of an actual data breach. This is the touchstone of cyber liability insurance and likely the reason companies will consider buying the coverage in the first place. Many companies simply do not have the time, money, or resources to devote to developing a full-scale cyber readiness plan and team to respond to cyber attacks. Fortunately, many cyber insurers today offer companies a one-stop solution for data breach response and mitigation. This is critical because time is of the essence in identifying and reporting a breach.
To put things into perspective, companies should consider the potential out-of-pocket costs they may incur as a result of a data breach. According to the Ponemon Institute’s 2014 Cost of Data Breach Study, the average cost to a company is $201 for every stolen record. The total average organizational cost of a data breach for U.S. companies is $5.85 million. This amount can be broken down as follows: $417,000 for detection costs (including forensic and investigative activities and crisis team management); $509,237 for breach notification costs; $1,599,996 for post-breach remediation costs (including help desk activities, product discounts, identity theft protection services, and dealing with regulators); $3,324,959 in lost business costs (including reputational injury, diminished goodwill, and loss of business).
Notably, Ponemon’s survey is limited to data breaches affecting fewer than 100,000 records. For that reason, these figures can be dramatically higher for large data breaches. For instance, according to Target’s SEC filings for the period ending May 3,2014, the company had incurred $88 million in costs attributed to the data breach it experienced during the 2013 year-end holiday season, which affected more than 100 million customer records, including stolen credit and debit card information. While Target purchased $100 million in dedicated cyber liability insurance coverage (subject to a $10 million deductible), the company expects to receive only $52 million from its insurers to offset the $88 million loss. Meanwhile, Target’s losses from the data breach continue to accrue, with some pundits predicting the company’s total losses to be as high as $1 billion. A company’s ability to absorb uninsured losses arising from a cyber attack is, of course, dependent in part on the size of the company, its financial situation, and myriad other factors. While a large company like Target might be able to withstand losses upwards of hundreds of millions of dollars, a $5 million loss might put a small company without cyber insurance coverage out of business.
It is important to understand what constitutes a triggering event for purposes of first-party coverage under a cyber liability insurance policy. In very basic terms, this usually includes unauthorized access to a company’s computer systems that results in the disclosure of customers’ nonpublic personal information (including financial or personal health information) that is in the possession or control of the insured. This is an important point because the policy may or may not cover data breach incidents when a third-party provider maintains the personal information that is exposed. The insured may be notified of a breach by its own IT department, vendors, customers, or even government authorities such as the Federal Bureau of Investigation (FBI).
How Cyber Carriers Can Assist Companies in the Event of a Breach
Oftentimes, a company is in panic mode when it first discovers that a data breach may have occurred and has no idea what to do. This is where the experience of a seasoned carrier and its team of vendors and law firms may step in to provide critical guidance and support to help mitigate and contain any potential loss.
First, the carrier may direct the insured to a preapproved data breach coach or breach response team with crisis management experience—similar to dialing 9-1-1 in the event of an emergency. This is typically an outside consultant, professional, or law firm that works hand-in-hand with the insured and coordinates all of the fast-moving parts in the event of a breach.
Second, the carrier or breach coach may contact a carrier-approved forensics expert to investigate the cause and scope of the breach and attack on the company’s computer system, in addition to working to contain the breach. The initial forensics investigation may be one of the most crucial to determine whether, in fact, personal information was accessed by unauthorized intruders and how widespread the breach might be.
Third, the carrier or breach coach may also retain another carrier-approved vendor to send out the appropriate notifications to individuals, customers, or patients whose data may have been stolen. This is not as easy as it seems because the insured is required to comply with a panoply of breach notification statutes, which vary from state to state. Some states have particularly onerous notice laws. For instance, California’s breach law requires that certain health care entities and affiliates notify individuals of a breach involving unencrypted health information in as few as five business days after discovering the breach, in addition to notifying the California Department of Health. Moreover, the insured must comply with the notice statutes in every state in which it does business—not simply where it is officially domiciled. The insured is also required to provide notice to certain government and regulatory authorities, including various state attorneys general and the Federal Trade Commission (FTC).
Because data breach notification statutes continue to evolve, keeping up with the changes and requirements can be a full-time job. For instance, in April 2014, Kentucky became the forty-seventh state to enact a breach notification law, which requires companies transacting business in the state to promptly notify all affected Kentucky residents whose personally identifiable information (PII) is or may be compromised. Under Kentucky law, PII is defined as an individual’s name in combination with a Social Security number, driver’s license number, or debit or credit account number, along with any security code, access code, or password required to access an individual’s financial account.
On July 1, 2014, the Florida Information Protection Act went into effect. The new Florida act strengthens existing state breach notification laws by shortening the time frame for providing notice to affected consumers (from 45 to 30 days) and imposing stiff monetary fines (up to $500,000) on companies that fail to comply with the new notice provisions. In addition to expanding the definition of protected personal information, the Florida act requires companies to notify the state’s attorney general of all data breaches potentially affecting more than 500 Florida residents—regardless of whether the breach adversely affected such individuals.
Earlier this year, in an effort to streamline the patchwork of state breach notification requirements, the United States Senate introduced a federal Data Security and Breach Notification Act. However, unless and until such federal legislation in enacted, companies will have to comply with the complex web of individual state notification laws. For many companies, it may be easier to use the services of a carrier-approved third party to send out notices in the event of a breach.
Last, but not least, the carrier or breach coach may also retain a carrier-approved public relations PR firm to minimize the effect of any negative publicity in the media as a result of the data breach. This is valuable because many customers’ gut reaction might be to stop doing business with a company that has been the subject of a large-scale breach, at least for a while. This translates into lost dollars and revenue for the company. In addition, the company’s stock price could take a hit.
In theory, a company could independently hire a forensics expert, notification vendor, PR firm, etc. In reality, few companies have the experience or resources to efficiently manage all of the moving parts on short notice. Immediate 24/7 accessibility to a carrier’s pre-vetted data breach experts can ease some of the immediate pressure on management so they can strategize about how best to handle the breach from a business perspective.
Other bells and whistles in first-party coverage may include remediation costs associated with setting up and manning a call center to answer customer inquiries about the breach, credit monitoring services, identity theft monitoring services, or a combination of these.
Some cyber policies may also provide valuable business interruption coverage for an insured’s economic losses sustained as a result of a temporary shutdown of its computer systems in the wake of a cyber incident or attack. The insured may be required to submit a proof of loss to the insurer detailing the company’s estimated loss of business, revenue, and continuing operating expenses during the relevant time period. The policy may provide a sub-limit of liability for business interruption loss, including a per diem limit for a specified time frame.
In addition, cyber policies may afford “cyber extortion” coverage. While this sounds like something that might be found in a kidnap and ransom (K&R) policy—or science fiction movie—the threat of cyber extortion is becomingly increasingly common. There has been a recent rise in the form of malware also known as “ransomware” used by hackers. One such example is “CryptoLocker,” a type of malware that encrypts and locks computer files. The hacker then sends a message demanding that the owner pay a “ransom” to regain access to the electronic information. Of course, there is no guarantee that even if the ransom is paid, the files will be unlocked.
On June 2, 2014, the U.S. Department of Justice (DOJ) announced that it worked closely with the FBI and foreign law enforcement officials in Canada, Germany, Luxembourg, the Netherlands, the United Kingdom, and Ukraine to seize computer servers acting as command and control hubs for the CryptoLocker malware, which began appearing in September 2013. Security researchers estimated that as of April 2014, CryptoLocker had infected more than 234,000 computers worldwide seeking ransom payments exceeding $27 million.
Third-Party Cyber Coverage for Unavoidable Litigation
Of course, even the most aggressive steps to contain and mitigate the loss resulting from a breach cannot stem the tide of complaints or lawsuits filed by angry customers whose data may have been lost or stolen. In the event of a large breach, plaintiffs’ attorneys may get in on the action by filing nationwide consumer class actions against the insured for alleged violations of various state and federal laws.
This is where the third-party cyber coverage kicks in. The triggering event is usually a claim by a third party against the insured as a result of the breach. The policy definition of a claim may include a written demand or civil proceeding seeking monetary damages or non-monetary relief. It is possible that regulatory authorities such as the FTC, in addition to customers, may bring suit against the insured for failing to adequately safeguard customer information.
In a blow to companies that have been the victims of hacker attacks, a New Jersey federal court held in FTC v. Wyndham Worldwide Corp. that the FTC can bring suits under section 5(a) of the FTC Act, 15 U.S.C. § 45(a), against companies for failure to maintain reasonable data security for consumers’ sensitive personal information. The FTC, the nation’s consumer privacy watchdog, filed suit against hotel operator Wyndham in connection with a data breach for violation of section 5(a) of the FTC Act, which prohibits unfair and deceptive acts or practices. The FTC alleged that Wyndham failed to implement reasonable security measures, which compromised consumers’ personal information and caused substantial consumer injury. Wyndham challenged the FTC’s ability to assert a claim under section 5(a) in the data security context. Nonetheless, the court declined to “carve out a data security exception” to the FTC’s broad statutory authority. Unless the ruling is reversed on appeal, companies can expect to see more suits filed by the FTC in the wake of a data breach.
Of course, the insured should promptly notify the insurer in the event of a lawsuit. Such claims may trigger the insurer’s duty to defend the insured. The insurer may have a list of preapproved panel counsel firms that have demonstrated experience defending privacy claims and class actions. The insurer may appoint defense counsel and pay defense costs and other approved claims expenses on behalf of the insured in defense of the claims. If a suit is not quickly disposed of early in the litigation by a motion to dismiss, the litigation can become exceedingly costly, time-consuming, and long-lived. Indeed, defense costs alone for multiple, large-scale litigation could be millions of dollars.
In addition to paying defense costs, third-party coverage may include other types of loss incurred by the insured as a result of a claim, including damages, judgments, or settlements. However, once again, it is important to review the policy definition of “damages” or “loss,” which may exclude certain amounts such as salaries or other overhead incurred by the insured’s employees; civil, criminal, or regulatory fines or penalties; and payments that represent restitution or disgorgement of ill-gotten gain by the insureds.
The latter concept excluding coverage for restitutionary payments could be tested under the recent settlement in Curry v. AvMed, Inc., filed in the Southern District of Florida. In that case, a Florida federal judge approved a $3 million class action settlement against health insurer AvMed for failing to properly safeguard plaintiffs’ personal health information in accordance with the standards set forth by the Health Insurance Portability and Accountability Act (HIPAA), 45 C.F.R. § 164.320 et seq. The plaintiffs alleged that AvMed was “unjustly enriched” because the plaintiffs paid AvMed higher health insurance premiums so that AvMed would take adequate measures to protect the plaintiffs’ data. Instead of litigating, AvMed agreed to pay the settlement whereby class members whose personal information was stolen would receive $10 for every year they were an AvMed customer, not to exceed $30. While it is not clear whether AvMed sought or obtained insurance coverage for the settlement, some insurers could argue that a settlement of a claim based on a theory that the insured was unjustly enriched is not a covered loss under an insurance policy because the insured is simply returning something (i.e., excess premium) to which it was not entitled. Courts have repeatedly held that this is not a covered loss under an insurance policy.
Coverage Exclusions and Traps for the Unwary
Of course, like all insurance policies, cyber policies have a host of terms, conditions, and exclusions that warrant close scrutiny. Some common exclusions to consider include the following:
First, the policy may contain a prior notice exclusion that bars coverage for claims or potential claims that were reported by the insurer under a prior policy. For instance, an insured may have reported a potential claim under a prior policy of a network intrusion. At the time, the insured did not believe that the attempted attack on its computer systems resulted in the disclosure of any sensitive customer information. However, several months later, after the insured purchased cyber insurance from a different insurer, the insured discovered that the prior network intrusion had in fact resulted in the loss or theft of customers’ personal information. In that situation, the insurer under the second cyber policy might deny coverage for any claims subsequently arising out of the network intrusion pursuant to the prior notice exclusion.
Second, the policy may contain a prior knowledge exclusion that bars coverage for any facts or circumstances known to the insured prior to the inception of the policy that could reasonably be expected to give rise to a claim under the policy. Using the example above, the new cyber insurer could deny coverage on the basis that the insured obviously had knowledge of a circumstance that could lead to a claim because the insured reported this fact under a prior policy. Or perhaps, during the course of a forensics investigation of a breach, it might come to light that the insured was aware of an existing vulnerability in its computer systems that compromised its firewalls or anti-virus protection, which the insured failed to rectify. Similarly, in that instance, the insurer might deny coverage based on a prior known incident that could give rise to a claim under the policy.
Third, many claims-made policies contain interrelated acts language to the effect that all claims or events arising out of the same wrongful act or interrelated wrongful acts may be treated as a single claim deemed to be first made at the time the earliest claim or event was first reported by the insured to the insurer. Interrelated acts language can be a double-edged sword. The analysis is extremely fact-intensive and has not yet been tested in the cyber arena. Consider, for example, an insured that has been the subject of a hacker attack during one policy period. The insured is again subject to an attack during a second policy period. Are both policies triggered? Or are both attacks considered interrelated for purposes of coverage? It is in the insured’s best interest to treat these attacks as unrelated to benefit from two separate policies with two separate limits of liability. Conversely, it might be in the insurer’s best interest to treat these attacks as a single interrelated act or event for purposes of limiting coverage to a single policy. Some policies do not specify the parameters for inter-relatedness. Factors to consider may include temporal proximity, the source of the attack, the nature of the attack, and the methods used by the attacker to access the insured’s computer systems.
Fourth, cyber policies typically restrict coverage for mechanical or electrical failures that affect a company’s computer systems or infrastructure, or “acts of God” such as fire, flood, earthquakes, or other natural disasters. For example, a tsunami that shuts down a power grid and all computer systems connected to that grid is not likely a covered event. Cyber policies may also contain a “war and terrorism” exclusion. It is important to note whether the policy addresses coverage for acts of cyber terrorism or cyber espionage by foreign governments, particularly in light of the purported rise of cyber attacks by the Chinese government and its state-owned or state-controlled businesses and enterprises.
Fifth, cyber policies may contain a property damage exclusion that bars coverage for any damage to tangible property—but not including the damage, corruption, or loss of the insured’s intangible electronic data. The purpose of such property damage exclusions is to avoid duplicating coverage afforded under a standard commercial general liability (CGL) policy that typically affords coverage for bodily injury and property damage. There has been a growing debate as to whether or not CGL policies should cover claims involving cyber attacks and loss of electronic data. Courts have adopted competing views as to whether a loss of data gives rise to a property damage claim. As a result, many CGL carriers may begin to include new endorsements to their policy forms that expressly exclude coverage for damages or other losses resulting from a data breach.
In May 2014, new Insurance Services Office (ISO) cyber exclusions for CGL policies went into effect. These exclude coverage for damages arising out of
|1) any access to or disclosure of any person’s or organization’s confidential or personal information, including . . . financial information, credit card information, health information or any other type of nonpublic information; or (2) the loss of, loss of use of, damage to, corruption of, inability to access, or inability to manipulate electronic data.|
In that event, is the insured covered for physical damage to its computer systems, hardware, and other electronic devices as result of an unauthorized attack or disabling of its systems? What if a cyber attack causes a company’s computer systems to ship physical inventory that is not recoverable? The answer will depend on the precise policy wording.
The foregoing list is not exhaustive and is only a sampling of a few coverage issues to consider under cyber policies.
The best defense is a good offense when it comes to cyber insurance. Without a doubt, insurance coverage is a risk management tool and one way to mitigate potential losses stemming from a data breach. As noted above, even the SEC has promulgated guidelines suggesting that companies consider disclosing to investors whether the company has insurance coverage for cyber security risks. Moreover, recent high-profile data breach incidents have put a spotlight on corporate boards and their management for alleged failure to ensure that companies have appropriate safeguards and internal controls in place to minimize the risk of loss from cyber attacks. As demonstrated by the Target breach, the fallout from a widespread data breach can have serious adverse consequences for a company, including costly litigation by customers and shareholders; expensive government investigations by state and federal authorities, including state attorneys general and the FTC; loss of business and revenue; decline in the company’s stock price; reputational injury; resignations or terminations of top-level management; and a demand for the ouster of board members by activist shareholders.
While not every breach incident will have the same magnitude, the potential consequences are relative to the size of the company and its business. A cyber incident that might be considered relatively insignificant by one company may be devastating to another. To lessen the effect, companies and their boards should consider the widespread, if somewhat dizzying, array of cyber insurance products on the market today, which can often be tailored to meet the needs of a particular insured.