Friday, October 10, 2014

Cyber Liability Coverage - Believe it or Not Its Here

Article by Alan R Lyons, Ronald J. Levine and Barry Werbin
In today's modern world, data breaches are a fact of life.  Last month, Home Depot confirmed that hackers broke into its payment systems and stole debit and credit card data for more than 40 million customers.  With that attack, Home Depot joined a growing list of high-profile companies, including household names such as Michaels, P.F. Chang's, Wyndham Hotels and Neiman Marcus that have had sensitive customer data stolen or compromised via cyber-attacks.

Although data breaches affecting large, well-established companies have grabbed the headlines, a data breach can happen to any business, large or small. All businesses that transact business online and store sensitive data on a network are susceptible, and the range of customer and employee data that could be exposed by a breach makes the potential fallout significant. This data includes customer lists, credit and debit card information, employee social security numbers, intellectual property and trade secrets, records, receipts and tax documents.

Traditional business liability insurance policies do not fully address cyber exposures, however cyber liability insurance can fill that gap. Cyber liability insurance can help businesses safeguard against data breaches, computer hacking, computer viruses, theft of information and employee sabotage.  Here is a summary of the various types of coverages available under this type of policy:
  • Privacy Liability
    • Covers liability arising out of a company's failure to protect personally identifiable or confidential corporate information in its care, custody or control, or by others on its behalf.
    • Provides coverage for regulatory proceedings brought by a government agency alleging the violation of any state, federal, local or foreign privacy legislation.
  • Network Security Liability
    • Covers liability arising out of:
      (a) the failure of a company's network security to prevent computer attacks, including unauthorized access or unauthorized use of corporate systems resulting in deletion, corruption or theft of data;
      (b) a "denial of service" attack -- an attack which makes a network unavailable to its intended users; and
      (c) the failure to prevent transmission of malicious code.
  • First Party Coverages
    • Covers the following types of expenses incurred by a company as a result of a data breach:
      (a) expenses to retain a computer forensics firm to determine the scope of a breach;
      (b) expenses to comply with privacy regulations;
      (c) expenses to notify and provide credit monitoring services to affected individuals;
      (d) expenses to retain legal, public relations and/or crisis management services to restore the company's reputation.
    • May also cover regulatory fines or penalties incurred because of a data breach.
    • May also cover business income loss when business operations are interrupted or suspended as a result of a security breach.

There is a wide variety of policies and levels of protection available.  Policies can be tailored to fit the needs of a particular business, including its size, sector, number of customers and type of data. In short, no two policies are identical. More importantly, the policy terminology can often be confusing.

Many companies analyze their insurance policies only after a data breach occurs. However, it is often advisable to obtain legal counsel prior to the purchase of cyber liability insurance to ensure that the scope of coverage is tailored to meet the company's specific needs, and to avoid common insurance purchasing pitfalls.  There are many questions and issues that should be considered during such an analysis, including: 
  • Does the policy provide sufficient sublimits for legal, computer forensics, public relations and/or crisis management expenses?  Many policies include those coverages, but only at low sublimits.  Those fees can often be substantial and can exhaust the sublimits very quickly.
  • It is recommended that the policy contain "prior acts" coverage, to ensure that coverage applies in the event that the insured's network has been breached before the policy was purchased.  In many instances, a breach can occur over a long period of time without the knowledge of the business owner.
  • The exclusions must be read carefully -- for example, be wary of an exclusion for attacks through unencrypted laptops or mobile devices as many cyber-attacks have occurred through those devices. 
  • Some policies contain a "wild virus" exclusion, which means that coverage would only apply to a cyber-attack targeted at the insured entity itself.  However, many viruses circulating over the internet are "wild" in nature and not directed at any particular entity.
  • Does the policy provide coverage for regulatory fines or penalties?
  • Does the policy provide business income coverage, and if so, is coverage triggered only by a complete suspension of business operations, or would a mere interruption in business operations be sufficient to trigger coverage?

No comments: