It is everywhere in the news: “Dramatic Increase in Cyber Attacks”; “Data Breach Impacting Thousands of Emergency Business Loan Applicants”; “New Malware Using Covid-19 Themed Lures in Phishing Attacks”. Businesses and individuals have never been at more risk for a data breach or cyber-attack. With the vast majority of employees now working from home (“WFH”), hackers and cyber-criminals more opportunities than ever to breach a company’s computer systems. As a result, businesses will need to rely more than ever on their cyber insurance policies. But what do cyber policies typically cover and what should businesses be prepared for?
Cyber Insurance is a type of insurance designed to cover consumers of technology services or products. These policies are intended to cover a variety of both liability and property losses that may result when a business engages in various electronic activities, such as selling on the Internet or collecting data within its internal electronic network. Most importantly, cyber and privacy policies cover a business’ liability for a data breach in which the firm’s customers’ personal information, such as Social Security or credit card numbers, is exposed or stolen by a hacker or other criminal who has gained access to the firm’s electronic network. The policies can also cover a variety of expenses associated with data breaches, including notification costs, credit monitoring, costs to defend claims by state regulators, fines and penalties, and loss resulting from identity theft. In addition, the policies cover liability arising from website media content, as well as property exposures from: (a) business interruption, (b) data loss/destruction, (c) computer fraud, (d) funds transfer loss, and (e) cyber extortion.
The typical business commercial general liability (“CGL”) policy will not provide coverage for data breaches as CGL policies cover bodily injuries and property damage resulting from the businesses products, services or operations. Cyber insurance is often excluded from a general liability policy.
Hacking Opportunities Increased in WFH Setting
Each time an employee connects to their corporate network from home, they are creating possible access points for hackers to exploit. When this happens hundreds or thousands of times on a single network it is difficult to ensure every connection is secure. Typically there are three (3) concerns and hazards of WFH: 1) Home Wi-Fi Security: As opposed to the office environment, where IT managers can control the security of all Wi-Fi networks, employees’ home networks often have weaker protocols, which allows hackers easier access to the network’s traffic; 2) Phishing Scams:
Phishing attacks are the #1 cause of data breaches. Hackers can easily send seemingly legitimate, deceptive emails with malicious links and attachments. Once an employee clicks on this malicious link, a hacker is able to gain access to the employer’s device; and 3) Insecure Passwords: Simple passwords are easy for hackers to crack, and if an insecure password is used across several platforms, it allows hackers to gain access to multiple accounts quickly.
Cyber Insurance Coverage Issues
Policyholders should take the time to know what their Cyber Insurance does, and does not cover. Typical gaps in cyber coverage include the following: 1) Regulatory Fines – Some policies do not cover regulatory fines that federal or state regulators may impose for a company’s violation of a privacy statute where no underlying cyber incident occurred. 2) Litigation Costs: Some policies exclude coverage for data breach litigation costs. Cyber polices that do cover litigation defense costs help a company prepare for and mitigate a myriad of costs that can arise from a data breach or regulatory action. Businesses should consider obtaining policies that include third-party liability coverage which include litigation costs. 3) Cyber Fraud: Fraud, even if it involves cyber issues, may not be covered under a cyber policy; instead, it may be included in a “crime policy”. 4) Intentional Acts of Employees: Some cyber policies exclude coverage for intentional acts by the insured’s employees. A typical scenario is where an unauthorized employee accesses and disclosures information.
One of the most famous examples of cyber insurance not covering a claim involved Sony and its cyber insurer Zurich American Insurance. Zurich denied Sony’s claim for $2 billion in losses from a 2011 data breach of 77 million users’ personally identifiable information. After years of litigation, the parties reached a confidential settlement without Zurich ever acknowledging a coverage obligation.
Businesses should closely read their cyber policies to know what they need to comply with to ensure coverage. Companies should have cyber-attack / data breach response plans ready with responsibility for different tasks assigned to specific team members. These plans may include notifying the insurer and if applicable, the insurer’s designated cybersecurity firm. Businesses may also consider assigning someone to keep track of federal and state privacy and cybersecurity regulations and to regularly update the team with new requirements that need to be followed.
Cyber insurance should not be seen as a replacement for a properly developed cybersecurity program. Cyber insurance can help offset some costs, but it will not cover the costs of losing valuable intellectual property. Every company should have a comprehensive cyber risk management strategy, and cyber insurance should be a core component. An essential financial instrument in the risk management toolbox, cyber insurance is complementary to cybersecurity, not an alternative.