Best Practices – Annual Cyber Insurance Reviews

April 28, 2015
Insurance Coverage Alert

Cybersecurity is not just as an IT issue but an enterprise risk management issue. As with any major business risk, companies should consider cybersecurity insurance as a way to transfer risk and mitigate potential losses.

The cost to respond to a cyber event can be expensive. In fact, the average cost is higher in the U.S. than anywhere else. According to a 2014 Ponemon Institute report, U.S. companies incur an average total cost of $5.85 million per data breach, the highest average cost of any country.

This figure is even higher for heavily regulated entities such as banks. Companies in the financial services industry spend $206 per impacted record, significantly above the overall mean of $145 per record.

Cyber events also take a harder toll on a bank’s reputation. In relation to retail or public sector companies, financial services organizations tend to have an abnormally high percentage of customers switch companies as a result of a breach.

Because a significant cyber event could impact a company's financial wellbeing, at least once a year, businesses should evaluate existing insurance coverage for cyber-related risks. For those companies that already have cyber policies, a review could reveal gaps in coverage. Changes in risk tolerances also might require changes to existing policies. And since the cyber insurance market is evolving, all companies – including those that have not yet purchased cyber insurance – might find new products that make this insurance a more attractive risk management tool.

Businesses should not rely upon traditional liability or first-party property policies for cyber-related risks. Traditional insurance policies cover losses from bodily injury or from damage to tangible property. Cyber events, by contrast, involve the loss of or damage to intangible assets such as data or computer software. This type of loss does not fall squarely into any traditional coverages.

Some policyholders have obtained coverage for data breaches under the "personal and advertising injury" prongs of standard commercial general liability policies. This offense-based coverage provides protection for certain enumerated torts such as defamation, false imprisonment, and invasions of privacy rights. However, insurers typically have strong defenses to data breach claims and, in many instances, have been able to defeat coverage.

To close the door on the potential coverage for cyber events, insurers recently expanded cyber-related exclusions in traditional policies. As a result, policyholders will have to turn to specialty insurance to obtain coverage for this risk.

Businesses may buy standalone cybersecurity policies or riders. Cyber insurance tends to provide targeted coverage for discrete harms, in which separate coverage grants address each different type of loss or damage. For this reason, businesses should carefully evaluate the risks they face and ensure that their cyber policies or riders actually cover those potential losses.

Third-party cyber risk policies protect against liability and other costs arising from data breaches. Data breaches result in a variety of losses, not all of which are covered under every cyber liability policy:

Businesses can also buy first-party insurance for cyber-related losses. The market for first-party cyber insurance is not as developed as that for liability coverage. Many businesses have found that first-party insurance either does not provide the protections they want or that the cost is prohibitive. As the cyber insurance market evolves, and as insurers get better at underwriting the risk, more affordable products could come onto the market.

First-party cyber insurance protects the policyholder against business losses or costs to repair or restore lost data, information, or software. Like third-party insurance, first-party coverages can be tailored to a business's specific needs:

Cyber events come in many forms – data breaches, malware, lost or stolen laptops with confidential data, denial of service attacks in which systems are overloaded with traffic, and cyber extortion. Because the potential threats are varied, insurance for these risks is varied as well.

Cyber insurance should be an integral part of any enterprise risk management plan. But before buying any cybersecurity policy, companies should scrutinize the particular risks facing their businesses and buy insurance tailored to their own business needs and risk tolerances.