As the frequency and cost of a Data Breach continues to increase. Firms need to look more closely at the kinds of insurance that they have and what they need to properly cover a Data Breach or Cyber Incident. 1st firms need to look at the typical policies that almost all firms have.
Why your other insurance policies will not do the job.
Your current policies are very limited in how they will response to a cyber incident or data breach event. Not understanding the limitations of your current insurance policies could provide significant uninsured exposures for a cyber incident.
Your general liability insurance which could part of your Business Owner’s Policy (BOP) covers some risks resulting from a cybersecurity incident, but its reach is limited:
The typical general liability policy covers property damage caused to others and loss of use of tangible property. This might be helpful when a natural disaster wrecks a computer system, but it provides no coverage for data loss or system function triggered by a cyber event when there is no physical damage.
General liability policy normally cover oral or written defamation, but this offers no protection for improper disclosure of an individual’s confidential information. Governmental fines, internal remediation costs, and liability to individual victims (such as HIIPA) are exposures that the general liability policy was not intended to cover.
Likewise, your property insurance also may cover physical damage to your computer system but not damage caused by a cybersecurity incident that results in no physical harm.
Malpractice Insurance, professional liability Insurance, and errors and omissions insurance is tended to cover an injury to a third party because of an inadequate delivery of professional services. Normally there is no protection of a computer hacker or damage to your data caused by a careless or disgruntled employee. In fact in some cases deliberate acts by a firm staff by be excluded from coverage entirely.
Neither the general liability nor physical damage coverage is designed to cover the misrouting of funds caused by a phishing incident.
Your current insurance coverage only provides spotty protection for some risks encountered in the cybersecurity incident and these policies cannot be extended to cover the full range of cyber exposures. Many insurers are starting to limit coverage for cyber events under traditional policies by imposing sub-limits or flatly excluding certain cyber-related risks.
What risks can a cyber insurance policy actually cover?
It is important to realize that all Cyber policies are not created equally. Merely endorsing your business owners policy or malpractice insurance coverage may leave you with inadequate limits and coverage gaps.
A good Data Breach/Cyber Liability Insurance offers 1st party and 3rd party coverage. It needs to respond to the following exposures:
1st Party Claims
1. Incident Response Services
2. Ransom demands to unlock your system.
3. Notification requirements costs from federal & state laws & regulations to your clients that have suffered a data breach
4. System assistance in restoring your systems and data
5. Loss of income for the time that it takes to recover from a data breach
6. Harm to reputation & goodwill
7. Crisis Management and public relations costs
3rd Party Claims
1. Damages to clients that have suffered a data breach
2. Cost of defense to defend you from these claims
3. Regulatory Violations, fines and penalties that may be accessed against the firm
Don’t Forget Crime Insurance:
Even with a good cyber policy the voluntary routing of funds to an erroneous 3rd party caused by a phishing incident may not be covered by any other policy than a Crime Policy. Many cyber policies actually specifically exclude the theft of funds. When these incidents occur such as during a real estate closing, hundreds of thousands (or millions) of dollars can be voluntarily sent to a cybercriminal with no way to get the money back. If this is an exposure that you firm has then make sure your Cyber or Crime policies are properly endorsed to cover these exposure.