Cyber Liability: Maybe Not for Fred Flintstone, But for Everyone Else?

Cyber liability insurance. Do I really need it? If your company uses electronic data, Fred Flintstone, it is likely that yes. What activities can make your company vulnerable to cyber-attacks and data breaches? What coverage is typically included in a policy covering cyber liability? Every business that uses electronic equipment in its operations must have cyber liability coverage. This applies to virtually everyone.

Which of the following are you interested in?

• Communicate with customers via email, text messages or social media

• Send or receive documents electronically

• Advertise your company via electronic media, such as a website or social media

• Store your company’s data on a computer network. Some examples of company data include sales projections and tax documents.

• Store data that belongs to others (such as employees or customers) on a computer network. This could include customer names and addresses as well as credit card numbers and birth dates of employees and social security numbers.

• Sell products or services through a company website

These activities can be a great help to your business or organization. However, these activities come with risks. You could also have to pay out-of-pocket costs to restore or repair data that has been damaged or lost.

Cyber liability insurance covers lawsuits that result from events like data breaches, data inaccessibility, and failure to adequately safeguard data from theft. These types of lawsuits cannot be covered by standard commercial general liability policies (CGL).

One, electronic data damage does not count as property under a CGL policy. Why? The reason is that electronic data is not considered tangible. Secondly, most CGL policies contain a specific electronic data exclusion. This exclusion excludes coverage from claims “based upon the loss, damage, or corruption of data” or their inability to be used.

Imagine a virus infecting your computer network, causing damage to client’s data that you are responsible for maintaining. You might be the bookkeeper. The virus prevents your client from accessing records necessary to obtain a loan, or to create a contract. Your client sues for data loss. Your CGL policy won’t cover the suit. The property damage was not an issue.

Cyber liability policies protect businesses from lawsuits brought by customers or other parties arising out of security and privacy breaches. These policies have been available for almost twenty years. However, there is not one common form or policy language across the many cyber liability policies offered by insurers. A cyber liability expert gave brokers selling cyber liability policies a C- rating. Imagine if these experts had a C- knowledge about the policies. Can you imagine the grade he would give to business owners and risk managers who purchase such coverage?

The majority of forms are designed on a claims-made foundation. All claims relating to data breaches, invasion of privacy, libel or defamation, cyber-related slander or infringement must be made during the policy period.

Many forms cover third-party liability, which is the coverage that covers claims made against you by others. Many cyber policies now cover first-party expenses. These are your damages resulting from a cyber attack. Here are some examples.

• Business Income and Extra Expense covers income you lose and expenses you incur due to a full or partial shutdown of your computer system because of a cyber-attack, virus or other insured peril. This coverage is different from the business income and extra expense coverage that is available under a commercial policy.

• Loss of Data covers the cost of restoring or reconstructing your data that was lost or damaged due to a virus, hacker attack or other covered cause.

• Associated Costs covers costs you incur due to a data breach. This includes the cost to notify affected customers in accordance with law and providing credit monitoring services to those customers. As part of these notifications, penalties and fines are often imposed. The penalties and fines can be very expensive. There is much debate among carriers about whether they should be covered for such “damages”, as they may be used as punishment or deterrent. These costs are not usually covered by insurance. In the case of a breach in private health information identity monitoring is more important than credit monitoring for anyone who might have had their records exposed.

• Cyber Extortion covers the costs associated with a cyber ransom threat. A cyber-criminal might threaten to exploit security holes in your computer system, or even shut down your system using a denial-of-service attack, unless you pay a certain amount of money. They usually demand payment in bitcoins and cyber currency.

While some policies are tailored to the needs of technology companies, others are made for healthcare organizations. Many insurers offer a wide range of coverages that can be purchased “a la carte”. This allows customers to pick the coverages they are most interested in. This can be confusing for the uninitiated broker or buyer, who might not choose the right coverages.

A broker or agent can help you get cyber liability insurance. You will be asked detailed questions about the security of your firm’s computers. While in the past, insurance companies would often audit the security of prospective insureds. This is becoming less common. The following are questions that insurance companies ask about:

• Firewall Does your system have a firewall?

• Virus Scans Do you scan email, downloaded content or portable devices for viruses?

• Responsible Person Who is responsible for network security?

• Security Policy Do you have a written security policy?

• Protection Software Is your system protected by anti-virus software? Do you use intrusion detection software?

• Remote Access Do employees, customers or others access your system remotely? What system do you have in place to authenticate these users?

• Sensitive Data What types of sensitive data (social security numbers, credit card information etc.) What data do you keep on your computer? Are the data encrypted

• Access Do you control access to sensitive data?

• Data Controls Testing Do you periodically test your data control measures?

• Data Backup and Storage Do you back up your data daily? Where are the backups stored?