Reviewing Emerging Insurance Protection for Cyber Risks
Are you covered in the event of a cyber breach?
As cyber risk and security issues continue to grow, companies are examining not only their cyber risk management strategies, but also their insurance coverage. A recent study from the Ponemon Institute reported that 70 percent of respondents either had a cybersecurity insurance policy or planned to purchase one in the next 24 months.
To assess how insurance can and should factor into a company’s cyber risk management strategies, organizations should be familiar with two general categories: (1) “traditional” insurance policies, such as commercial general liability (CGL) and property insurance; and (2) policies specifically designed to cover cyber risks (cyber policies).
“Traditional” insurance policies, like CGL and property policies, are found in almost every company’s insurance portfolio. Many of these policies cover some types of cyber risks. The insurance industry, however, has endeavored over time to limit or eliminate cyber coverage under these policies, typically by adding exclusions barring coverage for certain cyber-related claims. Not coincidentally, the development of these exclusions accompanied an uptick in the number of cyber-specific insurance products in the marketplace. The effect is that companies wanting to insure cyber risks are increasingly being pushed by the insurance industry away from reliance on traditional policies and toward specialized cyber policies.
In the past, many companies avoided purchasing cyber policies because they were considered too expensive or too limited. The cyber insurance market, however, has expanded in recent years. Third-party liability coverage for data breach claims, in particular, is now more common and newer, more affordable policies are being marketed. That said, insurance for some types of cyber risks, such as damage to a company’s reputation, may still be difficult or expensive to obtain, at least for now.
Regardless of whether an organization is currently relying on traditional policies for cyber coverage or also has a cyber policy, enterprise security executives developing risk management strategies should be familiar with both categories of policies and know which are in the company’s portfolio. A surprising finding in the Ponemon report was that chief information officers and chief information security officers typically had little involvement in the decision-making process for purchasing cyber-related coverage. Given the increasing importance of cyber risks, security professionals should be integrally involved in cyber-related insurance decisions.
Looking Back: Cyber Coverage Under Traditional Policies
A CGL policy is a type of third-party insurance, meaning it covers claims asserted against the policyholder by third parties. These policies also commonly require the insurer to defend the policyholder against potentially covered claims. Policyholders frequently seek coverage for cyber claims under the CGL policy’s coverage for “property damage” and/or “personal and advertising injury.” These terms are usually defined in the policy.
Under one common definition, “property damage” includes “physical injury to tangible property, including all resulting loss of use of that property” and “loss of use of tangible property that is not physically injured.” A frequent dispute between policyholders and insurers is whether damage to electronic data constitutes “property damage.” Some courts have held that electronic data qualifies as tangible property within the meaning of the term “property damage,” though others disagree. The specific result in any one case will depend on the CGL policy’s language, the facts, and applicable state law.
CGL policies also cover “personal and advertising injury,” which typically is defined to include “publication of material that violates a person’s right of privacy.” Some policyholders suffering data breaches that compromise individuals’ personal information have secured coverage under this “personal and advertising injury” coverage. Frequently, coverage will turn on whether the data breach constitutes “publication” of personal information. Here, too, courts have reached different results, and the outcome for any particular policy will depend on policy language, facts and governing law.
Property policies also may cover some cyber claims. Property policies are “first-party” policies, meaning they cover the policyholder for its own losses. These policies often cover “direct physical loss of or damage to Covered Property.” They also can cover business losses resulting from covered property damage. For example, if a hurricane strikes a hotel, the hotel’s property policy will cover the physical damage to the hotel, as well as the income lost as a result of the “business interruption” suffered by the hotel. As with CGL policies, coverage for cyber claims under a property policy frequently turns on whether the damage to electronic data is considered “physical loss or damage” to property, which again will vary depending on the specifics involved.
In an apparent response to court decisions holding that these traditional policies provide coverage for cyber claims, the insurance industry has attempted to narrow or eliminate coverage for cyber risks under CGL and property policies. The industry’s response is a bit like the TSA’s response to new security threats – as new risks crop up, they try to create a rule that targets that risk. For example, when environmental pollution claims proliferated, the insurance industry implemented a pollution exclusion. In response to asbestos claims, a new asbestos exclusion emerged. Now, in response to increasing cyber risks, the Insurance Services Office (“ISO:” the entity responsible for drafting many of the standard form policies used in the industry) has developed exclusions that seek to narrow the cyber coverage available under traditional policies. For example, ISO published a 2007 property insurance form that excluded electronic data from the definition of “Covered Property,” and instead moved electronic data claims into a separate “additional coverage” category that was subject to much lower coverage limits.
Similarly, ISO published a 2004 CGL form that excludes coverage for “damages arising out of the loss of, loss of use of, damage to, corruption of, inability to access, or inability to manipulate electronic data.” This year, ISO announced a new exclusion titled “Exclusion – Access or Disclosure of Confidential or Personal Information and Data-Related Liability – with Limited Bodily Injury Exceptions.” Although some insurers use these exclusions, it is important to note that prior policy forms are also still in use, and some policies may not follow the ISO forms at all. Thus, whenever a claim arises, a company should carefully scrutinize its CGL and property policies to determine if coverage is available.
Notwithstanding the increasing use of cyber-related exclusions in CGL and property policies, a recent report by the Department of Homeland Security noted that some companies reported they did not purchase cyber-specific policies because they believed their traditional policies covered cyber risks. While this determination will be correct for some companies, no company should assume its traditional policies provide adequate cyber coverage without examining the exact types of risks the company faces and the exact language of the policies it purchased. Over time, the likelihood that traditional policies will provide adequate cyber coverage will likely decrease, meaning that companies seeking to insure cyber risks will need to purchase cyber-specific policies.
Looking Forward: Coverage Under Cyber Policies
Though specialized cyber insurance policies have been around for several years, the market is still developing. There are now many carriers in the cybersecurity insurance market offering a wide variety of insurance products. Like traditional coverage, cyber policies are offered for both first-party and third-party losses.
First-party cyber policies vary in terms, scope, and cost, but can cover costs to notify the required authorities and affected customers of a cyber incident, to restore lost data or pay for its “loss of use,” and to repair damaged systems. These policies also can cover “remediation” efforts, such as credit monitoring services for affected customers, and for the company’s “business interruption” losses relating to a cyber risk event. In addition, some policies cover reimbursement for “extortion,” or amounts paid to a malicious third party to prevent destruction or release of the company’s data. These policies also can cover forensic investigation, crisis management and public relations expenses.
Third-party cyber coverage generally pays for the costs of claims or lawsuits brought against the company by private parties or government regulators following a cyber incident. Some insurers offer to combine first-party and third-party coverage under a single policy, which could reduce premiums.
Navigating exclusions and limitations in cyber policies can be a major concern. Some policies do not cover unencrypted data on portable devices. Some policies also may limit or eliminate coverage for information held by a third party unless there is a written contract between the policyholder and the third party. Cyber risk policies also can define the geographic scope of the covered risks to certain locations, the entire United States, or worldwide. Companies should ensure that their coverage matches their business relationships and risks, so that they are not under- or over-purchasing coverage.
In short, every company has some exposure for cyber risk events. It is important for a company to assess its exposure, risks and security profile, and tailor its insurance coverage to its specific operations and needs. It is equally important for CIOs and CISOs to carefully consider insurance as a risk management tool and to have a voice in the placing of the company’s insurance. Experienced coverage counsel can provide meaningful feedback on proposed policy language and how that will serve a company’s needs.
About the Authors: Marla Kanemitsu is a partner in Dickstein Shapiro’s Insurance Coverage Group and is based in the firm’s Los Angeles and Washington, DC offices. She leads the firm’s Cybersecurity & Intellectual Property Insurance Practice and also is a member of the firm’s multidisciplinary Cybersecurity & Data Privacy Solutions Practice. In addition to her insurance work, Marla has extensive experience representing clients in class action and other complex litigation involving consumer products and services. Erin L. Webb is a Senior Managing Associate in Dickstein Shapiro’s Insurance Coverage Group and is based in the firm’s Washington, DC office. She is a member of the firm’s Cybersecurity & Intellectual Property Insurance Practice and has significant experience with complex insurance issues involving companies in the energy and technology industries.