August 30, 2018

Michael Gossie

Will cyber insurance help with data breach?

An amended Arizona law that went into effect in August requires companies to notify consumers affected by a data breach within 45 days of the breach or face up to $500,000 in penalties. Your standard commercial insurance policy is written to ensure against injury or physical loss and will do little, if anything, to protect you from a data breach. So how can cyber insurance protect businesses?

Az Business talked with Jennifer Chenault, sales executive for Lovitt & Touché, to get some answers.

Az Business: Does a standard commercial policy protect a business against data breaches? 

Jennifer Chenault is a sales executive for Lovitt & Touché.

Jennifer Chenault: Your standard commercial policy is written to ensure against injury or physical loss and will do little, if anything at all, to protect you from a data breach. 

Commercial general liability (CGL) is a type of insurance policy that provides coverage to a business for bodily injury, personal injury and property damage caused by the business’ operations, products, services or injury that occurs on the business’ premises. CGL is considered comprehensive business insurance, though it does not cover all risks a business may face.

Defining cyber risk in the context of your specific business is the first step in managing this risk. Once the impact of data breaches on your business has been identified and mitigated to the extent practicable with internal measures, it is time to consider cyber risk insurance as a risk transfer mechanism.

AB: Can cyber insurance protect businesses from liabilities related to a cyber attack or data breach?

JC: Cyber liability insurance covers lawsuits stemming from events like data breaches and denial of server attacks; these such lawsuits are not covered by a standard Commercial Liability Policy.  Electronic data is not considered tangible property, therefore any damage is not considered property damage.  In addition, most CGL policies exclude damage to data with an electronic data exclusion, which eliminates coverage for claims based on the loss, damage corruption or inability to use data.

• First-party response. This type of cyber risk policy can cover the cost of notifying affected parties about the breach, funding PR measures to rebuild your business’ reputation, offering credit-monitoring services, and more.

• Third-party defense. This type of cyber liability policy can cover legal expenses if your business is sued over a data breach.

AB: What does cyber insurance cover? 

JC: Most notably, but not exclusively, cyber and privacy policies cover a business’ liability for a data breach in which the firm’s customers’ personal information, such as Social Security Numbers or credit card numbers, is exposed or stolen by a hacker or other criminal who has gained access to the firm’s electronic network. The policies cover a variety of expenses associated with data breaches, including: notification costs, credit monitoring, costs to defend claims by state regulators, fines and penalties, and loss resulting from identity theft.

In addition, the policies cover liability arising from website media content, as well as property exposures from business interruption, data loss/destruction, computer fraud, funds transfer loss, and cyber extortion. Cyber insurance can cover various third-party expenses as well as protection against lawsuits filed by breaches.  There are variances within the industry and coverage can vary greatly.  Some carriers will include coverage for libel or slander and other intentional torts.  One thing in common is virtually all policies are on a claims-made basis (A claims-made policy covers claims that are made during the policy period. In this type of policy, coverage depends on the timing of the claim.) Cyber risk insurance is almost universally written on a claims-made basis — meaning that to be covered, the claim or suit against you for a data breach must be first made during the policy period.

Most offer first-party expenses:

• Business Income and Extra Expense: Covers income you lose and expenses you incur due to a full or partial shutdown of your computer system because of a hacker attack, virus or other insured peril. Such losses are not covered under the business income and extra expense insurance that is available under a commercial property policy.

• Loss of Data: Covers the cost of restoring or reconstructing data that was lost or damaged due to a virus, hacker attack or other covered cause.

• Associated Costs: Covers costs you incur due to a data breach. Examples are the cost of notifying affected customers as required by law, and the cost of providing credit monitoring to affected customers.

• Cyber Extortion: Covers the costs associated with an extortion threat, including ransomware. For example, an extortionist installs ransomware on your computer system. The extortionist refuses to release your data unless you pay him or her a sum of money.

• Crisis Management Covers the cost of hiring public relations, legal and computer forensics consultants.

AB: What doesn’t cyber insurance cover? 

JC: Cyber and privacy insurance is often confused with technology errors and omissions (tech E&O) insurance. In contrast to cyber and privacy insurance, tech E&O coverage is intended to protect providers of technology products and services, such as computer software and hardware manufacturers, website designers, and firms that store corporate data on an off-site basis. Nevertheless, tech E&O insurance policies do contain a number of the same insuring agreements as cyber and privacy policies.

AB: What kind of company will benefit the most from cyber insurance coverage?

JC: It’s rare in today’s world that a day goes by without a report on a cyber attack or breach.  Even though this is a regular occurrence, would you know what your company’s risks and liabilities are?  No company, big or small, is immune to this exposure and many falsely believe they can elude the attention of a hacker.  The studies show this is not true.  In fact, it is just the opposite; we are seeing cyber attacks grow in the companies that have fewer than 100 employees.

You would benefit from cyber insurance coverage if you use electronic data.  If you use email, text or social media to communicate with your customers, if you send or receive documents electronically or if you store data, then this coverage can protect you.

As there are not one-size-fits-all insurance policies, it is a good idea to bring in an expert that can help you navigate and advise on your exposures.  As your business grows, your liability grows with it. Cybercriminals look for weakness, and smaller businesses are more attractive than their larger counterparts.  Smaller businesses tend to put off making the improvements until it is too late and they face a breach.