Cybersecurity insurance: Maximizing coverage to mitigate risk
By now most businesses understand that the question is not whether they will experience a data breach incident but when. Knowing how to mitigate the risks that flow from a breach is vital. In addition to implementing a program of administrative, technical, and physical control measures to identify and reduce the risk, cybersecurity insurance is a means of mitigating the financial risks to the business if those other control measures fail.
The recent Ponemon Institute 2015 Cost of Data Breach Study found that data breaches cost companies an average of $217 per compromised record, which includes direct and indirect costs. Indirect costs include the internal resources the company expends to deal with the data breach, such as employee time spent on investigation and notifications, as well as loss of customers and injury to reputation. Direct costs include expenditures to minimize the consequences of the breach and assistance to victims, such as hiring forensic and legal experts, and providing identity protections for victims. Clearly, certain actions before a breach occurs can substantially reduce the cost of a data breach. These include the existence of an employee response team, extensive use of encryption, and the purchase of cybersecurity insurance. Businesses sometimes think that their commercial general liability policy covers losses from a data breach, but many insurers exclude cybersecurity risk from those policies.
The market for cybersecurity insurance is still evolving and policies can differ widely among carriers. Here are some tips for navigating the market to maximize the protection for losses from a breach.
Be sure to secure coverage for first-party and third-party losses. First-party losses include direct expenses such as reporting the breach to government entities and the affected persons, crisis management, data recovery, and call center costs. These also include credit monitoring for customers whose information was disclosed and payments to hackers to end e-commerce attacks.
Third-party losses include claims by third parties such as customers, legal defense costs, and fines and penalties assessed by state and federal regulators for violations of law attributable to the data breach. It is advisable to have a cybersecurity policy which specifically covers fines and penalties levied by credit card companies for breach of Payment Card Industry (PCI) Data Security Standards governing how merchants protect and store their customer data.
In addition to the total policy limits, be sure that sub-limits do not excessively limit the amount that can be recovered for certain expenses such as regulatory fines or penalties. Review and carefully consider policy exclusions such as criminal or fraudulent conduct exclusions and exclusions for terrorism or acts of foreign enemies. The “foreign enemies” exclusion may prevent any coverage for state-sponsored cyber attacks such as the attack on the U.S. government personnel office that is believed to have been directed by the Chinese government.
Also review the definition of “confidential information” and “personally identifiable information” (PII) as it is probably the central definition in the cybersecurity policy. The broader the definition the better for the insured. Some policies may use a statutory definition of PII. In cases where confidential information that does not meet the statutory PII definition is disclosed and the business wishes to notify customers even if not required by law, such a practice may not be covered by the insurer.
Finally, be sure that there is no exclusion for the “voluntary transfer” of funds to third parties that would result when someone is tricked into transferring money. Phishing schemes are an example of this type of “voluntary transfer” that could be excluded.
An unexpected benefit of seeking cybersecurity insurance is that insurers, as part of their underwriting process, will require businesses to assess their cyber practices and put incident response plans in place. In the absence of substantial actuarial data, insurers engage in qualitative assessments of the business’s risk management procedures resulting in a road map for the business to follow to strengthen its understanding and management of cybersecurity risks.
Securing the appropriate cyber-insurance coverage will be much easier for businesses of all sizes that have already assessed their cyber risks and devised a complete incident response plan. Besides keeping insurance premiums down, it will help companies secure the type and amount of coverage that is appropriate for their specific business. Technical, legal, privacy, and insurance professionals with experience relating to data breaches should be consulted along the way.
Gina Carter is a shareholder in the Madison office of Whyte Hirschboeck Dudek S.C. where she practices in the areas of technology law, credit union law, and intellectual property. She regularly advises on and litigates data breach and other technology law matters. Carter can be reached at email@example.com.
Click here to sign up for the free IB ezine – your twice-weekly resource for local business news, analysis, voices, and the names you need to know. If you are not already a subscriber to In Business magazine, be sure to sign up for our monthly print edition here.