Cyber insurance varies greatly from insurance company to insurance company. There is no standard language or coverage. Some have worldwide coverage, some country specific, some are within limits, some are outside limits, some are admitted, some are non-admitted. It truly takes an expert to read and interpret a cyber policy. Here is what your policy should include at a minimum:
First Party Coverage
First party is financial loss coverage due to a data breach for the insured. This is for items that directly affect the insured’s business. There are numerous coverages:
Computer Forensics – coverage for a computer forensics expert to come investigate a data breach
Reputation Harm – coverage for a public relations firm to restore your brand name from negative effects a data breach may have on your company.
Notification Costs – coverage for call center or notification services to notify those affected by a data breach.
Credit Monitoring – coverage for credit monitoring services to scan for “bad actors” attempting to open new or use existing credit lines for those affected by a breach.
Costs to Defend Claims – coverage for litigation costs associated with legal proceedings following a data breach.
Fines and Penalties – coverage to reimburse the company for fines or penalties due to a data breach
Business Interruption – coverage for downtime and the additional cost to get computer systems back up and running after a breach
Replacing electronic data – coverage to replace electronic data
First Party Questions to Consider
Does the insured have a Say in Choice of Legal Counsel?
Can the insured use whatever legal providers they want? or must the insurance company’s pre-selected service provider panel be used? Some policies will consider the insured’s preference for the appointment of counsel, but the insurance company still has the final say. Some policies state the Insured shall not formally appoint counsel without approval from the insurance company. This may be a sticking point if an insured is keen on using their own legal counsel. Cyber policies may offer lower limits of coverage for “non-panel” service providers.
Are the above first arty coverages within policy limits or outside?
Essentially, if you have a $1M aggregate policy does every single 1st party coverage fall within this $1M bucket or do some coverages have their own $1M limit bucket. It would be advantageous to either have a higher aggregate or a separate limit on items like Business Interruption and Defense costs. Oftentimes some line item coverages can be sublimated to $250 or $500K on a $1M policy.
Is the policy written on an admitted or non-admitted basis?
Admitted insurance policies are insurance policies written by an admitted insurance company. An admitted insurance company pays the proper taxes, fees, and paper work to achieve admitted status, in exchange for being backed by a state guarantee fund. If the insurance company becomes insolvent and an insured has a claim, the claim will still be paid by the guarantee fund. A non-admitted carrier/policy has no such guarantee. It is wise to check the AM Best rating and admitted status of the insurance company writing your insurance policy here:http://www.ambest.com/ratings/guide.pdf
Third Party Coverage
Third party is financial loss coverage from a data breach for the benefit of others. It could be your customers, partners, supplies, vendors, etc. It includes three seperate coverages:
Privacy Liability - Covers expenses the insured becomes legally obligated to pay due to failure to protect the following classes of information:
PHI (Personal health Information) i.e. health records
PII (Personally identifiable information) i.e. Social security #, address information, etc.
PFI (Personal Financial Information) i.e. Bank account #s, credit card numbers, etc.
Content Liability/Web Publishing Liability/Multimedia Liability – Provides “digital world” personal and advertising injury liability coverage. This includes infringement or violation of another’s copyright, title, slogan, trademark, trade name, trade dress, service mark, and service name. An example would be using unauthorized images or music on a website. This also provides coverage for defamation, libel, and slander like negative comments posted on your website about a competitor’s product.
Third party Security Breach Liability – is coverage for if the insured becomes responsible for a virus, security breach, transmittal of malicious code, etc. Essentially, since your system got hacked, the hacker was able to gets access to your customers, vendors, partner, or other third party’s system and it becomes your fault.
Third Party Questions to Consider
Is there Coverage for Rogue Employees?
A rogue employee may also be described as a disgruntled employee but is essentially an employee who is purposely causing a data breach or transmits malicious code to sabotage the company. Policy language can explicitly name rogue employees, be implied but not specifically mentioned, exclude coverage all together, or add coverage via endorsement.
What is the Coverage Trigger?
Policies are written on one of the following coverage triggers; Occurrence, Claims Made, or Claims Made & Reported.
1. Occurrence Form.
Definition: A policy covering claims that arise out of damage or injury that took place during the policy period, regardless of when claims are made.
2. Claims-made Policy
Definition: A policy providing coverage that is triggered when a claim is made against the insured during the policy period, regardless of when the wrongful act that gave rise to the claim took place
3. Claims-made and Reported Policy
Definition: A type of claims made policy in which a claim must be both made against the insured and reported to the insurer during the policy period for coverage to apply
The above coverage trigger types are in order from most advantageous to lease advantageous form an insured’s prospective.
Cyber insurance polices are typically written on claims-made or claims made and reported forms. claims-made is more advantageous from the insured’s prospective than claims-made and reported.
Coverage for Contractual Liability?
Good cyber insurance policies have coverage for contractually assumed liability. Often this is subject to a sub-limit and should be scrutinized when purchasing an insurance policy. Check that the limit is sufficient with specific contract requirements.
Cyber Crime Coverage
Cyber crime coverage is typically separate from First and Third party coverages, but not always. It typically covers claims for financial loss from the following:
Extortion/Ransom – A hacker is holding your business’s computer system hostage, everything is locked with a message that says "pay 10 Bitcoins in 24 hours or computer system will be destroyed". Cyber insurance can help pay to restore or replace a system held hostage.
Social Engineering/E-Mail Phishing – An e-mail that looks like it’s from the CFO with instructions to wire $50,000 to a bank account is sent to a new controller, the controller wires the funds not knowing the CFO’s e-mail was really a hacker. Cyber Crime insurance can cover the loss resulting from this unintended parting of money/funds due to fraudulent instruction/impersonation.
Want to learn more? I've uploaded an extended 30 minute discussion on this topic to a recorded webinar accessible to all here: