Cyber Insurance:
Considerations for Businesses
by Teri Cotton Santos
According to the 2016 RIMS Cyber Survey, 80% of respondents had
purchased stand-alone cyber insurance policies, up 29% from 2015. There
are several drivers for the emergence of cyber insurance and why companies
are increasingly looking to obtain it. First, the cost of a cyberbreach is high.
Ponemon’s 2016 Cost of Data Breach study reported that, the average cost of a
data breach is $4 million, up 29% since 2013, with the average cost per record
at $158. Additionally, some organizations are seeking stand-alone coverage due
to contractual requirements imposed by business partners. In the RIMS Cyber
Survey, 25% of respondents reported that their organizations purchased cyber
insurance as a result of contractual obligations, up 17% from 2015.
A cyber insurance policy is intended to help organizations mitigate the costs
associated with a cyber-related security breach. Cyber coverage was originally
intended to address data privacy or data breach issues. As a result, the primary
purchasers of this insurance have historically been those organizations
that collect significant amounts of financial, health-related or consumer
information and therefore have a larger exposure to data breach risks. These
include retailers, health care organizations, banks and insurers.
However, the range of risk exposures presented by cyber-related events reaches
far beyond data privacy and data breach issues and therefore can impact
any organization, not just those that collect and store sensitive personal
information. For example, cyber extortion—the use malicious software that
blocks access to a computer system until a ransom is paid—is a prevalent
and formidable risk, according to the FBI. Additionally, the emergence of
the internet of things and the reliance upon technology to support critical
infrastructure represent a different form of risk exposure for entities such as
commercial carriers and utility providers. Finally, all organizations can be
subject to business interruption losses or crisis management costs, both of
which are typical offerings in cyber insurance policies today. Any organization
Copyright © 2017 Risk and Insurance Management Society, Inc. (RIMS). All rights reserved.
1
considering stand-alone cyber coverage should carefully evaluate its risk
profile and whether its more traditional policies provide coverage for
these risks.
Do Traditional Polices Cover for Cyber Events?
Organizations that do not purchase stand-alone cyber policies may look
to more traditional policies like commercial general liability (CGL),
property or crime to provide coverage for cyber-related events. In some
instances courts have agreed with the insured. For example, in Travelers v.
Portal Healthcare Solutions1, the Fourth Circuit found that the insured’s
failure to secure a server, which resulted in the availability of personal
health information online, was a “publication” under the personal injury
and advertising provision of the insured’s CGL policy. Therefore, the
court held that the insurer had a duty to defend the insured.
In another case, Apache Corp. v. Great American Insurance Company2, the
court found that the insured’s losses were covered under its computer
fraud policy after the company wired $2.4 million to a fraudulent
account based upon a bogus email. In other cases, courts have found
that computer system failures due to physical damage were covered under
property policies3.
However, coverage under such policies may diminish in the future as
insurance companies write cyber risk out of traditional policies. The
trigger for cyber coverage is typically loss or a claim arising from either
a security failure (due to a break in to the insured’s technology systems)
or a privacy event relating to the unauthorized access or loss of personal
information. These loss causes are ordinarily not covered by property or
general liability policies, which is why companies seek stand-alone coverage.
Types of Cyber Coverage
First Party Coverage
• Network interruption/business interruption
• Cyber extortion/ransom
• Data loss and restoration
• Reputation/crisis management
• Theft/fraud
• Forensic investigation costs
• Regulatory fines
• Media liability
In 2014, the Insurance Services Office (ISO)
introduced an endorsement for CGL policies
that excludes data breach liability. Thus, insurers
using this endorsement, entitled “ExclusionAccess or Disclosure of Confidential or Personal
Information and Data-related Liability with
Limited Bodily Injury Exception,” will not cover
claims arising from a breach of data that leads to
confidential or personal information leaks.
Types of Cyber Coverage
There is no standard form for cyber insurance and
policies are sold under different names including
“cyber risk,” “privacy” and “information security.”
Currently cyber coverage is available for several
first-party and third-party liability coverages.
The table above provides a summary of some
available coverages. An insured may purchase
this coverage modularly, but many carriers also
offer coverage packages for the most common
perils.
First-Party Coverages
Network interruption coverage provides cover
for the costs of lost business and additional
expense due to an interruption in the insured’s
network. Most policies require the interruption
to last a minimal length before coverage applies.
For companies that have a high volume of online
sales or whose revenue depends heavily on the
availability of the internet, this is a coverage
to consider. Some insurers offer data loss and
restoration coverage to pay the costs of recovering
data as a result of a triggering event.
Cyber extortion occurs when hackers deny an
insured access to its own network or threaten to
disclose the insured’s confidential information
unless the insured pays a ransom. This cyber
extortion coverage will pay the cost of the
ransom demand.
For many companies the cost of reputational
harm resulting from a data breach can be
substantial. Many cyber policies include coverage
Third Party Coverage
• Privacy liability
• Breach notification costs
• Credit monitoring
• Transmission of viruses or
malicious code
Another area of large exposure is in those
industries where business interruption is of
greater concern than breaches of personal
information such as utilities, manufacturing
and transportation. Finally, industries where
the value of the lost information is most critical,
such as defense contractors and research labs,
are generally excluded from today’s cyber
policies.
Considerations for Your Business
for the cost to retain a crisis management team
to help mitigate first-party, reputational harm
caused by the event. Additionally, some insurers
will recommend crisis management vendors.
Forensic investigations coverage includes the
cost of forensic examiners to help assess the root
cause of the event and improve risk control in
the future.
Third-Party Liability Coverage
Privacy liability coverage covers the insured’s
liability for breaches of the private information of
third parties such as clients, customers, business
partners and employees. Additional costs related
to privacy events including breach notification
costs and credit monitoring can also be offered
in cyber packages.
Additional Coverage Needs
Growing areas of coverage include cloud
coverage and outsourced service provider
coverage for the insured. As companies continue
to outsource portions of their operations or rely
more on software as a service and platform as a
service providers, the risk that these providers
create for the insured is increasing. While some
of this liability can be transferred to the thirdparty provider, the amount of damages due to a
security failure could be extreme. Some insurers
are offering first-party coverage that protects
losses due to business interruption related to
outsourced providers.
There remain some gaps in cyber coverage that
insurers must address. For example, large data
aggregators with massive amounts of personally
identifiable information present a unique and
potentially costly risk and cyber limits have
not yet caught up. As more consumer products
integrate with technology, the risk of bodily
injury from cyber perils is increasing. Insurers
need better information to respond to risks
related to emerging technology such as the
internet of things, driverless cars or wearable
medical devices.
A company’s assessment of its cyber insurance
needs should begin with an assessment of the
insured’s sources of risk and perils. A company
should also consider whether these perils are
covered by other policies or are excluded. For
example, a company that handles and or stores
significant amounts of third-party personally
identifiable information, should consider
coverage that includes both security and privacy
liability as well as for regulatory action, such as
fines. The company should also consider privacy
event costs, the cost of forensic investigation,
crisis management, privacy notification and
credit monitoring.
When evaluating cyber coverage, an insured
should consider whether the policy covers
the acts or omissions of third parties. This is
particularly pertinent for companies that rely on
outsourced vendors to manage their data.
Not all policies are equal in terms of exclusions.
The insured should carefully consider language
related to shortcomings in the insured’s security,
which can be subjective and therefore should be
avoided. Additionally some policies exclude acts
of terrorism, which may prevent an insured from
recovering if an event is triggered by the actions
of a hostile nation.
Finally, along with cyber insurance, insurers are
increasingly offering risk control packages to help
insureds reduce their cyber risk. These packages
may include employee educational tools, limited
legal consultations on security policies, crisis
management plans and technical support offered
by third-party information security vendors.
Teri Cotton Santos is senior vice president,
chief compliance and risk officer at The
Warranty Group and a member of the
RIMS External Affairs Committee.
See Travelers Indemnity Company of America v. Portal Healthcare Solutions (E.D. Va. 2014)
See Apache Corp. v. Great American Insurance Co. (S.D. Tex Aug. 7, 2015)
3
See American Guarantee & Liability Insurance Co. v. Ingram Micro, Inc., (D. Ariz. April 18, 2000) and Landmark American Insurance Co. v. Gulf Coast Analytical Labs, (M.D. La. Mar 30, 2012)
1
2
Copyright © 2017 Risk and Insurance Management Society, Inc. (RIMS). All rights reserved.
2