The concept of purchasing cyberinsurance to insure against cyber threats seems fairly simple at first glance. Many companies fear the financial costs and reputational harm that often results from a cyber security breach and seek to mitigate these risks through insurance.
However, the actual usage of cyber insurance tends to raise a lot of questions, some of which are complex. According to a June 2019 article by The Wall Street Journal titled “Explaining Cyberinsurance,” there are little to no standards in place for evaluating risks or even determining what constitutes a cyber attack. This lack of clarity can lead to companies making poorly informed decisions. Below are several key questions that companies may want to ask themselves when considering the purchase or renewal of a cyberinsurance policy, as identified in the Journal article.
What Cyber Assets Need to be Protected?
Companies first must identify the largest risks that they are exposed to and evaluate what the consequences would look like if they were to experience a breach. A certified security specialist or a cybersecurity consulting firms often help in this review process. After identifying its individual protection needs, a company may then work with a broker or their insurance carrier to tailor cyberinsurance coverage that is the best possible fit for them.
The primary areas that companies should evaluate are potential reputational damage, the cost of restoring data, and they payment of expenses resulting from government regulatory fines in the event of a data breach.
The National Institute of Standards and Technology (“NIST”) is one source for security guidelines. NIST publishes a cybersecurity framework focused on the concepts of identify, protect, detect, respond and recover. Another source is the Ponemon Institute, founded in 2002 by Dr. Larry Ponemon. The Michigan-based institute is a leading research center dedicated to privacy, data protection and information security policy. Companies can consult these and other resources to better evaluate the risks they face.
Cybersecurity applications which detail the typical levels of security and point out potential risk areas may be downloaded and are an additional useful resource for understanding the types of security provisions that insurers may expect a company to have in place.
What Cyber Events Are Not Covered by Insurance?
Many cyber insurers do not cover easily preventable security lapses that result from neglect, such as failure to use a minimal level of security, or a poorly structured firewall. If an employee carelessly mishandles private information, the resulting consequences typically may not be covered. Theft and other malicious acts by rogue employees are often excluded as well.
A high-profile example of a cyber exclusion came about in the aftermath of the 2017 “NotPetya” ransomware attack, which the CIA attributed to the Russian government. In at least one instance, a claim was denied as a result of a clause which excludes recovery for a “hostile or warlike attack” perpetrated by a state actor.
However, insurers are not always off the hook just because a breach is the company’s fault. Mistakes such as an employee falling prey to a phishing scam or a lost laptop with sensitive information may be covered, and each case is subject to individual review. For example, if the employee who lost the laptop had taken the computer out of the office despite being instructed not to do so, the damages would likely not be covered.
What is the Distinction between First-Party and Third-Party Insurance?
Direct losses to the insured resulting from a cyber attack—such as extortion or data theft—falls under a “first party” policy.
First-party insurance protects the insured’s own direct losses stemming from a cyber-attack, such as extortion and theft of data. Remedial efforts after an attack, such as causation analysis, required notifications, data restoration, and crisis communications, may also be covered under a first-party cyberinsurance policy. First-party insurance is usually purchased by companies that store credit card data and other sensitive information.
Third party insurance applies when the insured is protecting itself against a cyber attack suffered by a client or other outside party. An example of this would be if an internet marketing company was contracted to develop a secure website for a client and left a vulnerability that a hacker was able to exploit. This type of insurance may cover costs associated with settlements, legal fees, and government fines resulting from the breach.
How Is Cyber Insurance Priced?
Pricing for cyberinsurance is typically proportional to the level of income that a company generates, and also takes into account the insured’s industry. The insurer needs to assess the industry of the company to determine what would be a potential target for cyber criminals. For example, a hospital would be more expensive to protect than a library, due to the sensitive nature of medical records and stringent regulations protecting patient data.
The strength and detail of existing cyber security measures maintained by the insured will also affect pricing. Insurers will typically conduct an in-depth audit to assess whether employees are trained in spotting cyber fraud attempts, review a company’s password protection policies, check on the frequency of software updates, and a range of other security practices.
What is the Notification Requirement for a Cyber Breach?
There is often a substantial gap between when a breach occurs and when a company discovers it. A survey by the Ponemon Institute concluded that it takes 197 days on average for a small business to discover a breach. Generally, an insurer requires a company to notify its customers of the breach once they become aware of it. An insurer’s requirements regarding notification may differ from a company’s legal requirement.
Every state in the U.S. has data-breach notification laws which mandate that organizations notify any customers whose data is compromised. The time required to report varies by state. For example, Florida has a 30-day deadline from the date that the breach was discovered.
Companies that are the target of a data breach may also need to contact state or federal agencies of the breach, depending on the circumstances.
The information in this article is for general purposes only and does not constitute, and should not be taken as, legal advice for any individual case or situation. This information is not intended to create, and does not create, an attorney-client relationship with DLD Lawyers. No content in this article may be reproduced by any means or in any medium without prior written permission of DLD lawyers.