Mitigating Risk with Cybersecurity Insurance
By Adam Brouillet
Imagine one of your company’s employees being tricked into clicking on a link in an email to trigger the complete destruction of the company’s electronic files, followed by a weeks-long forensic investigation, legal fees, bad press, regulatory investigations, and loss of business and goodwill. The total price tag? Maybe $200,000 if you’re lucky, or much more if you’re not.
Cybersecurity insurance is a key way the company can mitigate these potential costs. While technical cybersecurity measures, such as firewalls, strong passwords and multi-factor authentication, may filter out malicious emails and prevent at least some attackers from accessing company databases, they are not perfect cybersecurity protections.
If a data security incident occurs, cybersecurity insurance can cover some of the heavy costs incurred from a suspected or actual data breach. Following are some tips on the topic of commercial cybersecurity insurance.
Understand the common causes and costs of a data breach.
The appropriate cybersecurity insurance policy for a company should cover the common causes and costs of a data breach. Common causes of a data breach include phishing emails, business email compromise, malware and ransomware. An ideal cybersecurity insurance policy will have language specifically providing coverage for all of these events.
As for common costs, the company should understand the potential costs to comply with any legal requirements after an actual or suspected data breach. In the United States, all fifty states, the District of Columbia, and U.S. territories Guam, Puerto Rico and the U.S. Virgin Islands have some form of a data breach notification law. These laws apply to companies that hold personal information of their customers and employees. Federal laws and regulations also may apply and generally require companies to maintain reasonable measures to safeguard personal information. Laws outside the United States, most notably the European Union’s General Data Protection Regulation, also require notifications in the event of a data breach.
If the company learns of a potential security breach that may have exposed personal information, the company must conduct a reasonable investigation. The best practice is to retain legal counsel, who then would retain a third-party forensics specialist under the attorney-client or work-product privilege. The forensic specialist would investigate the incident to determine whether there was a data breach and, if so, to what extent. This information will enable counsel to provide legal advice to the company on next steps.
The company may be required to notify those individuals whose information was or might have been accessed. The company also may be required to notify the state attorney general, law enforcement, credit card companies, consumer reporting agencies, or other parties as required by applicable law or contract. The company should implement protective measures to prevent a similar incident from happening again. The breach could lead to lawsuits by disgruntled individuals or other business clients whose information was accessed or to investigations by regulators concerning the company’s data privacy practices. These consequences are costly. Without cybersecurity insurance, the company must bear all of these costs itself.
With these general legal requirements in mind, the company should pick an insurance policy to cover the costs of compliance. Unfortunately, “traditional” commercial insurance policies (liability, property, D&O, E&O, crime, etc.) often do not cover those costs.
Do not rely on “traditional” commercial liability insurance policies.
Companies sometimes assume they have adequate cybersecurity insurance when, in fact, they don’t.
Take the standard commercial general liability, or CGL, policy, for example. CGL policies typically cover bodily injury or accidental property damage. Data breaches do not involve bodily injury, nor are data breaches necessarily accidental; rather, they are intentional acts by the attackers, and CGL policies often exclude coverage for intentional or criminal acts.
Property damage under a CGL policy is usually damage to “tangible” property; electronic data, as “intangible” property, will not be covered by such a policy. A grocery store learned that lesson the hard way in a 2016 case in Alabama. The grocery store’s credit card database was hacked, and credit card data was stolen. The grocery store sought coverage under its CGL property policy, but the court denied coverage because credit card data was intangible property not covered by the policy.
Other companies have experienced similar denials of coverage under other commercial insurance policies. For example, certain property insurance policies may cover the destruction of, or damage to, company property. That may be good news for a company whose electronic data was destroyed by a malware attack, unless of course the policy excludes coverage for damage to electronic data—which is sometimes the case.
The same limitations or exclusions are in many directors and officers, errors and omissions, and crime policies. Either they narrowly define “claim” or other terms to limit coverage for data breaches, or they exclude such coverage altogether.
The best way to insure against a cybersecurity attack or data breach is to obtain a comprehensive cybersecurity insurance policy.
Select the appropriate cybersecurity insurance coverage.
Over the past 20 years or so, as data breaches became more common, insurers frequently denied coverage for data breaches under “traditional” commercial insurance policies and instead created separate cybersecurity insurance policies.
Companies may obtain cybersecurity insurance by purchasing an endorsement to an existing policy or purchasing a stand-alone policy. No standard policy form has emerged, as cybersecurity policy language varies among insurers and policies, but the appropriate cybersecurity insurance policy for a company should cover the common causes and costs of a data breach.
As for common causes, the cybersecurity policy should cover:
- Ransomware (extortion)
- Data exfiltration or destruction
- Vendor breach
- Social engineering
- Stolen devices
- Brute-force attacks
- Business email compromise
As for costs, cybersecurity policies typically provide first-party and third-party coverages. First-party coverages cover the following common costs of a suspected or actual data security incident:
- Forensic investigation
- Legal fees
- Notifications to affected individuals, regulators, and others as may be required by law or contract
- Call center to field inquiries from affected individuals
- Mailing vendor to send notification letters
- Credit monitoring for affected individuals
- Public relations campaigns
- Data repair or restoration
- Ransom payments (extortion liability)
- PCI-DSS fines
- Loss of business / business interruption
- Social engineering fraud loss (fraudulent wire instructions)
- Administrative safeguards, such as employee training and creating security and incident response plans
Third-party coverages cover the following potential legal claims and proceedings that can follow a data security incident, usually on a claims-made-and-reported basis:
- Civil lawsuits
- Regulatory actions and investigations (not every investigation leads to an action)
- Media liability (e.g., unauthorized use of copyright or trademark, defamation, plagiarism)
In evaluating potential cybersecurity insurance policies, the company should understand the amount of coverage for each potential cause of a data breach and analyze where coverages may overlap. As a case in point, in 2016 and 2017, a small Virginia bank was hacked, and the attacker gained administrative-level control over the bank’s databases. The attackers removed anti-theft protections for ATM transactions and stole more than $2 million from the bank at various ATMs.
The bank’s insurance policy had two relevant riders: one covering up to $8 million in losses for the electronic theft of money except for losses from the use of ATMs; the other covering $50,000 in losses from the use of debit cards. This cybersecurity attack involved both an electronic hack and the use of debit cards at ATMs. Predictably, the insurer agreed to cover only $50,000 of the bank’s losses under the debit card rider and denied coverage under the $8 million rider.
The takeaway is that companies should closely scrutinize their cybersecurity risks, identify hypothetical breach scenarios, and evaluate whether the cybersecurity insurance policy would cover the resulting losses and costs. If not, negotiate with the insurer for a better policy or choose another insurance company.
Selecting the appropriate cybersecurity insurance policy requires an understanding of the legal implications of a data breach, the limitations of “traditional” commercial policies and the potential cybersecurity risks of the company. A comprehensive cybersecurity insurance policy covering the common causes and costs of a data breach is a key way to mitigate against those risks.
Adam Brouillet is a shareholder with Tampa-based Trenam Law, located in the firm’s St. Pete office. Brouillet’s practice focuses on data privacy, cybersecurity and business litigation.
He can be reached at [email protected] or (727) 824-6105.