An Overview of Cyber Liability Insurance by Pat Olahan
Privacy and security issues seem to be at the top of the list of items to address for many business leaders in 2019. This is no surprise, considering the media coverage of high-profile events, such as Mark Zuckerberg defending the privacy policies of Facebook before Congress, the Marriott breach (which affected over 300 million consumers), and the ransomware attack that cost the City of Atlanta an estimated $2.6 million. The enactment of the General Data Privacy Regulation in the European Union, – which permits imposing significant fines for the mishandling of customer data by businesses operating within the European Union, coupled with the passing of similar legislation in California (California Consumer Protection Act), demonstrate that we are heading toward an even more stringent regulatory environment. Luckily, as the cybersecurity threat landscape continues to grow and evolve, so do the insurance products that help businesses manage the risks that these threats represent.
What began years ago as a privacy and security liability policy has quickly grown into a product consisting of a comprehensive coverage offering that is simply known as “Cyber Liability.” The easiest way to look at the coverage being offered under these policies is to break down the policy into two parts: first-party coverage and third-party coverage.
The first-party portion of the policy picks up the direct costs a company will incur in investigating and responding to a cyber incident. The first-party costs include net income loss or extra expenses incurred as a result of a network interruption, the cost to restore lost or corrupt data, and ransomware extortion payments. The most important first-party coverage and the greatest value offered by the Cyber Liability policy is the cost to consult a law firm in the wake of a breach and to institute a response plan. This consists of a legal consultation to inform the policyholder of its obligations arising from the incident, as well as a plan of action to hire a firm to conduct a forensic investigation, set up notification/call center/credit monitoring services for affected individuals, and hire a public relations firm to prepare for any media fall-out that could be imminent. By purchasing a Cyber Liability policy, the policyholder has immediate access through the insurance company to industry-leading firms performing these services at discounted rates. There is no need for policyholders to keep vendors on retainer or rush to find assistance during an incident.
The third-party liability section allows a policyholder to seek reimbursement for defense costs and indemnity to respond to any type of litigation brought against it as a result of a privacy or security incident. Such claims typically will allege negligence in maintaining an adequate level of network security and protecting the personally identifiable information of others. Additionally, the coverage offered will defend the company against a variety of regulatory investigations brought by any state, federal, or international agency. The policy will defend companies that accept, store, or transmit payment card information against investigations brought by the Payment Card Industry Security Standards Council (AmEx, Visa, MasterCard, Discover, and JCB International). If damages, fines, penalties, or assessments are levied against the company as a result of the claims, then the policy also will pick up these costs.
These third-party and first-party coverages make up what has become the core of the cyber liability policy. The marketplace for purchasing these policies continues to evolve and is becoming more competitive, as one hundred insurance companies purport to offer coverage. With new threats emerging almost daily, the most competitive insurers are offering additional enhancements and value-added risk management services to supplement these core offerings. The fierce competition among insurers also makes it a great time for business leaders to secure the most comprehensive policy at the lowest cost.
Having a cyber liability policy in effect will not eliminate the risk, but it will better position a business to be more prepared than most peers and competitors when forced to address the inevitable incident in a cost-effective manner.
Pat Olohan is an Account Manager in the Cyber Risk practice for the Risk Strategies Company insurance brokerage. Pat has tailored Cyber Risk solutions for businesses across all sectors.