Security Magazine logo
search
cart
facebook twitter linkedin youtube
  • Sign In
  • Create Account
  • Sign Out
  • My Account
Security Magazine logo
  • NEWS
    • Security Newswire
    • Technologies & Solutions
  • MANAGEMENT
    • Leadership Management
    • Enterprise Services
    • Security Education & Training
    • Logical Security
    • Security & Business Resilience
    • Profiles in Excellence
  • PHYSICAL
    • Access Management
    • Fire & Life Safety
    • Identity Management
    • Physical Security
    • Video Surveillance
    • Case Studies (Physical)
  • CYBER
    • Cybersecurity News
    • More
  • BLOG
  • COLUMNS
    • Cyber Tactics
    • Leadership & Management
    • Security Talk
    • Career Intelligence
    • Leader to Leader
    • Cybersecurity Education & Training
  • EXCLUSIVES
    • Annual Guarding Report
    • Most Influential People in Security
    • The Security Benchmark Report
    • The Security Leadership Issue
    • Top Guard and Security Officer Companies
    • Top Cybersecurity Leaders
    • Women in Security
  • SECTORS
    • Arenas / Stadiums / Leagues / Entertainment
    • Banking/Finance/Insurance
    • Construction, Real Estate, Property Management
    • Education: K-12
    • Education: University
    • Government: Federal, State and Local
    • Hospitality & Casinos
    • Hospitals & Medical Centers
    • Infrastructure:Electric,Gas & Water
    • Ports: Sea, Land, & Air
    • Retail/Restaurants/Convenience
    • Transportation/Logistics/Supply Chain/Distribution/ Warehousing
  • EVENTS
    • Industry Events
    • Webinars
    • Solutions by Sector
    • Security 500 Conference
  • MEDIA
    • Videos
      • Cybersecurity & Geopolitical Discussion
      • Ask Me Anything (AMA) Series
    • Podcasts
    • Polls
    • Photo Galleries
  • MORE
    • Call for Entries
    • Classifieds & Job Listings
    • Continuing Education
    • Newsletter
    • Sponsor Insights
    • Store
    • White Papers
  • EMAG
    • eMagazine
    • This Month's Content
    • Advertise
  • SIGN UP!
Security Enterprise ServicesCybersecurity News

Reviewing Emerging Insurance Protection for Cyber Risks

Are you covered in the event of a cyber breach?

By Marla Kanemitsu, Erin Webb
Cyber Security
April 1, 2014

As cyber risk and security issues continue to grow, companies are examining not only their cyber risk management strategies, but also their insurance coverage. A recent study from the Ponemon Institute reported that 70 percent of respondents either had a cybersecurity insurance policy or planned to purchase one in the next 24 months.

To assess how insurance can and should factor into a company’s cyber risk management strategies, organizations should be familiar with two general categories: (1) “traditional” insurance policies, such as commercial general liability (CGL) and property insurance; and (2) policies specifically designed to cover cyber risks (cyber policies).

“Traditional” insurance policies, like CGL and property policies, are found in almost every company’s insurance portfolio. Many of these policies cover some types of cyber risks.  The insurance industry, however, has endeavored over time to limit or eliminate cyber coverage under these policies, typically by adding exclusions barring coverage for certain cyber-related claims. Not coincidentally, the development of these exclusions accompanied an uptick in the number of cyber-specific insurance products in the marketplace. The effect is that companies wanting to insure cyber risks are increasingly being pushed by the insurance industry away from reliance on traditional policies and toward specialized cyber policies.

In the past, many companies avoided purchasing cyber policies because they were considered too expensive or too limited. The cyber insurance market, however, has expanded in recent years. Third-party liability coverage for data breach claims, in particular, is now more common and newer, more affordable policies are being marketed. That said, insurance for some types of cyber risks, such as damage to a company’s reputation, may still be difficult or expensive to obtain, at least for now.

Regardless of whether an organization is currently relying on traditional policies for cyber coverage or also has a cyber policy, enterprise security executives developing risk management strategies should be familiar with both categories of policies and know which are in the company’s portfolio. A surprising finding in the Ponemon report was that chief information officers and chief information security officers typically had little involvement in the decision-making process for purchasing cyber-related coverage.  Given the increasing importance of cyber risks, security professionals should be integrally involved in cyber-related insurance decisions.

 

Looking Back: Cyber Coverage Under Traditional Policies

A CGL policy is a type of third-party insurance, meaning it covers claims asserted against the policyholder by third parties. These policies also commonly require the insurer to defend the policyholder against potentially covered claims. Policyholders frequently seek coverage for cyber claims under the CGL policy’s coverage for “property damage” and/or “personal and advertising injury.”  These terms are usually defined in the policy.

Under one common definition, “property damage” includes “physical injury to tangible property, including all resulting loss of use of that property” and “loss of use of tangible property that is not physically injured.”  A frequent dispute between policyholders and insurers is whether damage to electronic data constitutes “property damage.”  Some courts have held that electronic data qualifies as tangible property within the meaning of the term “property damage,” though others disagree. The specific result in any one case will depend on the CGL policy’s language, the facts, and applicable state law.

CGL policies also cover “personal and advertising injury,” which typically is defined to include “publication of material that violates a person’s right of privacy.” Some policyholders suffering data breaches that compromise individuals’ personal information have secured coverage under this “personal and advertising injury” coverage. Frequently, coverage will turn on whether the data breach constitutes “publication” of personal information. Here, too, courts have reached different results, and the outcome for any particular policy will depend on policy language, facts and governing law.

Property policies also may cover some cyber claims. Property policies are “first-party” policies, meaning they cover the policyholder for its own losses. These policies often cover “direct physical loss of or damage to Covered Property.”  They also can cover business losses resulting from covered property damage. For example, if a hurricane strikes a hotel, the hotel’s property policy will cover the physical damage to the hotel, as well as the income lost as a result of the “business interruption” suffered by the hotel. As with CGL policies, coverage for cyber claims under a property policy frequently turns on whether the damage to electronic data is considered “physical loss or damage” to property, which again will vary depending on the specifics involved.

In an apparent response to court decisions holding that these traditional policies provide coverage for cyber claims, the insurance industry has attempted to narrow or eliminate coverage for cyber risks under CGL and property policies. The industry’s response is a bit like the TSA’s response to new security threats – as new risks crop up, they try to create a rule that targets that risk. For example, when environmental pollution claims proliferated, the insurance industry implemented a pollution exclusion.  In response to asbestos claims, a new asbestos exclusion emerged. Now, in response to increasing cyber risks, the Insurance Services Office (“ISO:” the entity responsible for drafting many of the standard form policies used in the industry) has developed exclusions that seek to narrow the cyber coverage available under traditional policies. For example, ISO published a 2007 property insurance form that excluded electronic data from the definition of “Covered Property,” and instead moved electronic data claims into a separate “additional coverage” category that was subject to much lower coverage limits.

Similarly, ISO published a 2004 CGL form that excludes coverage for “damages arising out of the loss of, loss of use of, damage to, corruption of, inability to access, or inability to manipulate electronic data.”  This year, ISO announced a new exclusion titled “Exclusion – Access or Disclosure of Confidential or Personal Information and Data-Related Liability – with Limited Bodily Injury Exceptions.” Although some insurers use these exclusions, it is important to note that prior policy forms are also still in use, and some policies may not follow the ISO forms at all. Thus, whenever a claim arises, a company should carefully scrutinize its CGL and property policies to determine if coverage is available.

Notwithstanding the increasing use of cyber-related exclusions in CGL and property policies, a recent report by the Department of Homeland Security noted that some companies reported they did not purchase cyber-specific policies because they believed their traditional policies covered cyber risks. While this determination will be correct for some companies, no company should assume its traditional policies provide adequate cyber coverage without examining the exact types of risks the company faces and the exact language of the policies it purchased. Over time, the likelihood that traditional policies will provide adequate cyber coverage will likely decrease, meaning that companies seeking to insure cyber risks will need to purchase cyber-specific policies.

           

Looking Forward: Coverage Under Cyber Policies

Though specialized cyber insurance policies have been around for several years, the market is still developing. There are now many carriers in the cybersecurity insurance market offering a wide variety of insurance products. Like traditional coverage, cyber policies are offered for both first-party and third-party losses.

First-party cyber policies vary in terms, scope, and cost, but can cover costs to notify the required authorities and affected customers of a cyber incident, to restore lost data or pay for its “loss of use,” and to repair damaged systems.  These policies also can cover “remediation” efforts, such as credit monitoring services for affected customers, and for the company’s “business interruption” losses relating to a cyber risk event. In addition, some policies cover reimbursement for “extortion,” or amounts paid to a malicious third party to prevent destruction or release of the company’s data. These policies also can cover forensic investigation, crisis management and public relations expenses.

Third-party cyber coverage generally pays for the costs of claims or lawsuits brought against the company by private parties or government regulators following a cyber incident. Some insurers offer to combine first-party and third-party coverage under a single policy, which could reduce premiums.

Navigating exclusions and limitations in cyber policies can be a major concern. Some policies do not cover unencrypted data on portable devices. Some policies also may limit or eliminate coverage for information held by a third party unless there is a written contract between the policyholder and the third party. Cyber risk policies also can define the geographic scope of the covered risks to certain locations, the entire United States, or worldwide. Companies should ensure that their coverage matches their business relationships and risks, so that they are not under- or over-purchasing coverage.

In short, every company has some exposure for cyber risk events. It is important for a company to assess its exposure, risks and security profile, and tailor its insurance coverage to its specific operations and needs. It is equally important for CIOs and CISOs to carefully consider insurance as a risk management tool and to have a voice in the placing of the company’s insurance. Experienced coverage counsel can provide meaningful feedback on proposed policy language and how that will serve a company’s needs.

           

About the Authors: Marla Kanemitsu is a partner in Dickstein Shapiro’s Insurance Coverage Group and is based in the firm’s Los Angeles and Washington, DC offices. She leads the firm’s Cybersecurity & Intellectual Property Insurance Practice and also is a member of the firm’s multidisciplinary Cybersecurity & Data Privacy Solutions Practice.  In addition to her insurance work, Marla has extensive experience representing clients in class action and other complex litigation involving consumer products and services. Erin L. Webb is a Senior Managing Associate in Dickstein Shapiro’s Insurance Coverage Group and is based in the firm’s Washington, DC office. She is a member of the firm’s Cybersecurity & Intellectual Property Insurance Practice and has significant experience with complex insurance issues involving companies in the energy and technology industries.   

KEYWORDS: cyber security insurance data breach costs security budget security insurance

Share This Story

Looking for a reprint of this article?
From high-res PDFs to custom plaques, order your copy today!

Recommended Content

JOIN TODAY
To unlock your recommendations.

Already have an account? Sign In

  • Security's Top Cybersecurity Leaders 2024

    Security's Top Cybersecurity Leaders 2024

    Security magazine's Top Cybersecurity Leaders 2024 award...
    Top Cybersecurity Leaders
    By: Security Staff
  • cyber brain

    The intersection of cybersecurity and artificial intelligence

    Artificial intelligence (AI) is a valuable cybersecurity...
    Cybersecurity
    By: Pam Nigro
  • artificial intelligence AI graphic

    Assessing the pros and cons of AI for cybersecurity

    Artificial intelligence (AI) has significant implications...
    Cybersecurity Education & Training
    By: Charles Denyer
Manage My Account
  • Security eNewsletter & Other eNews Alerts
  • eMagazine Subscriptions
  • Manage My Preferences
  • Online Registration
  • Mobile App
  • Subscription Customer Service

More Videos

Sponsored Content

Sponsored Content is a special paid section where industry companies provide high quality, objective, non-commercial content around topics of interest to the Security audience. All Sponsored Content is supplied by the advertising company and any opinions expressed in this article are those of the author and not necessarily reflect the views of Security or its parent company, BNP Media. Interested in participating in our Sponsored Content section? Contact your local rep!

close
  • Crisis Response Team
    Sponsored byEverbridge

    Automate or Fall Behind – Crisis Response at the Speed of Risk

  • Perimeter security
    Sponsored byAMAROK

    Why Property Security is the New Competitive Advantage

  • Duty of Care
    Sponsored byAMAROK

    Integrating Technology and Physical Security to Advance Duty of Care

Popular Stories

Coding

AI Emerges as the Top Concern for Security Leaders

Half open laptop

“Luigi Was Right”: A Look at the Website Sharing Data on More Than 1,000 Executives

Shopping mall

Victoria’s Secret Security Incident Shuts Down Website

Laptop with coding on ground

Stepping Into the Light: Why CISOs Are Replacing Black-Box Security With Open-Source XDR

Gift cards and credit cards

Why Are Cyberattacks Targeting Retail? Experts Share Their Thoughts

2025 Security Benchmark banner

Events

June 24, 2025

Inside a Modern GSOC: How Anthropic Benchmarks Risk Detection Tools for Speed and Accuracy

For today's security teams, making informed decisions in the first moments of a crisis is critical.

July 17, 2025

Tech in the Jungle: Leveraging Surveillance, Access Control, and Technology in Unique Environments

From animal habitats to bustling crowds of visitors, a zoo is a one-of-a-kind environment for deploying modern security technologies.

View All Submit An Event

Products

Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

See More Products

Related Articles

  • cyber security

    The integration of small business cybersecurity protection and cyber insurance: An emerging trend in 2021

    See More
  • Cybersecurity Insurance

    How to Shop for a Cyber Insurance Policy

    See More
  • cyber 3 responsive default

    Organizations Unsure if Cyber Insurance will Payout for Email Attacks

    See More
×

Sign-up to receive top management & result-driven techniques in the industry.

Join over 20,000+ industry leaders who receive our premium content.

SIGN UP TODAY!
  • RESOURCES
    • Advertise
    • Contact Us
    • Store
    • Want More
  • SIGN UP TODAY
    • Create Account
    • eMagazine
    • eNewsletter
    • Customer Service
    • Manage Preferences
  • SERVICES
    • Marketing Services
    • Reprints
    • Market Research
    • List Rental
    • Survey/Respondent Access
  • STAY CONNECTED
    • LinkedIn
    • Facebook
    • YouTube
    • X (Twitter)
  • PRIVACY
    • PRIVACY POLICY
    • TERMS & CONDITIONS
    • DO NOT SELL MY PERSONAL INFORMATION
    • PRIVACY REQUEST
    • ACCESSIBILITY

Copyright ©2025. All Rights Reserved BNP Media.

Design, CMS, Hosting & Web Development :: ePublishing