Apr 21, 201601:12 PMLegal Login
with Mindi Giftos and Andrew Schlidt
Cybersecurity insurance: Maximizing coverage to mitigate risk
(page 1 of 2)
By now most businesses understand that the question is not whether they will experience a data breach incident but when. Knowing how to mitigate the risks that flow from a breach is vital. In addition to implementing a program of administrative, technical, and physical control measures to identify and reduce the risk, cybersecurity insurance is a means of mitigating the financial risks to the business if those other control measures fail.
The recent Ponemon Institute 2015 Cost of Data Breach Study found that data breaches cost companies an average of $217 per compromised record, which includes direct and indirect costs. Indirect costs include the internal resources the company expends to deal with the data breach, such as employee time spent on investigation and notifications, as well as loss of customers and injury to reputation. Direct costs include expenditures to minimize the consequences of the breach and assistance to victims, such as hiring forensic and legal experts, and providing identity protections for victims. Clearly, certain actions before a breach occurs can substantially reduce the cost of a data breach. These include the existence of an employee response team, extensive use of encryption, and the purchase of cybersecurity insurance. Businesses sometimes think that their commercial general liability policy covers losses from a data breach, but many insurers exclude cybersecurity risk from those policies.
The market for cybersecurity insurance is still evolving and policies can differ widely among carriers. Here are some tips for navigating the market to maximize the protection for losses from a breach.
Be sure to secure coverage for first-party and third-party losses. First-party losses include direct expenses such as reporting the breach to government entities and the affected persons, crisis management, data recovery, and call center costs. These also include credit monitoring for customers whose information was disclosed and payments to hackers to end e-commerce attacks.
Third-party losses include claims by third parties such as customers, legal defense costs, and fines and penalties assessed by state and federal regulators for violations of law attributable to the data breach. It is advisable to have a cybersecurity policy which specifically covers fines and penalties levied by credit card companies for breach of Payment Card Industry (PCI) Data Security Standards governing how merchants protect and store their customer data.
In addition to the total policy limits, be sure that sub-limits do not excessively limit the amount that can be recovered for certain expenses such as regulatory fines or penalties. Review and carefully consider policy exclusions such as criminal or fraudulent conduct exclusions and exclusions for terrorism or acts of foreign enemies. The “foreign enemies” exclusion may prevent any coverage for state-sponsored cyber attacks such as the attack on the U.S. government personnel office that is believed to have been directed by the Chinese government.
Also review the definition of “confidential information” and “personally identifiable information” (PII) as it is probably the central definition in the cybersecurity policy. The broader the definition the better for the insured. Some policies may use a statutory definition of PII. In cases where confidential information that does not meet the statutory PII definition is disclosed and the business wishes to notify customers even if not required by law, such a practice may not be covered by the insurer.