Cyber Liability Coverage – Read that Policy Carefully!

September 3, 2020  |  Carole Clark Isakson

Cyber insurance, also referred to as cyber risk insurance or cyber liability insurance policy coverage, is an insurance policy. Any company that uses technology to do business (i.e. pretty much every company…) should evaluate its need for this type of policy, review the policy language carefully, and verify that policy limits are sufficient. Before cyber insurance coverage became common, in the event of a data breach or other cyber event an insured might have tried to make a claim under its general liability insurance. These claims were frequently denied. With the advent of cyber insurance policies, a more specific product was made available, and may provide the coverage needed.

Cyber insurance applies to data breaches and specified cyber events. The typical policy provides coverage for various costs that may be incurred in a data breach situation – for instance, many policies will provide assistance in verifying and recovering from a data breach. As with any insurance policy, it is important to read the exclusions and be aware of events that are NOT covered.

Not all policies are created equally. Consideration should be given to your specific goals.

Cyber risk insurance often, though not always, covers:

  1. Loss or damage to data (i.e. the cost to replace or restore electronic data belonging to the insured or a third party)
  2. Loss of income (for instance, from a business shutdown caused by the cyber event)
  3. Cyber extortion: assistance in responding to and paying a hacker’s demand
  4. Forensic expenses: hiring an outside team to manage discovery work
  5. Legal expenses: to determine notification requirements required by law, as well as defense in the event a lawsuit is filed against the insured
  6. Notification expenses (applicable law and/or company contracts will surely require that persons impacted by the cyber event are notified)
  7. Regulatory fines and penalties
  8. Repairs and monitoring of affected parties’ credit
  9. Reputation restoration expenses (maybe)

Cyber insurance policies generally do not cover:

  1. Potential future lost profits
  2. Costs beyond the policy limits
  3. Loss of value due to theft of your intellectual property
  4. Betterment: the cost to improve internal technology systems, including any software or security upgrades after a cyber-data breach event

Distinctions in types of coverage are best illustrated by actual events. In 2017, the NotPetya or “GoldenEye” Trojan horse malware attack struck international companies including Merck & Co., a global drug manufacturer, and Mondelez, the owner of dozens of well recognized global food brands. Other entities, including government entities, suffered as well. The NotPetya malware attack is considered the most devastating cyber-attack to date. When the US government found Russia responsible, insurers invoked the “war exclusion” provision found in many policies, and denied hundreds of millions of dollars of claims, including those by Merck and Mondelez. Litigation ensued that still continues to this day, and the issues highlighted the need for standalone and more robust policies than were previously in place.

Because cyber liability insurance policies vary from one carrier to another, it’s important that an expert assist you in reviewing your insurance policies in relation to your specific needs and goals.

Barna, Guzy & Steffen has an outstanding team of software, IT, and corporate contract specialists available to assist you and your company in these and other areas. Connect with us today. We look forward to hearing from you!