As we try to learn from the events of 2017 and make our business plans for 2018, it is apparent that managing “cyber risk” — the risk that your enterprise will be impacted by a data breach — has become an imperative for many.
There is good reason for that. Many have noted that 2017 marked a turning point in social attitudes around cyber breaches. Rather than seeing data breach as the unavoidable consequence of modern life, petty crimes perpetrated by petty criminals (a fat kid on a laptop in his bedroom), we now focus on the conduct of the entity whose data was hacked, and as consumers we react and punish those businesses that failed to prevent, mitigate or timely report their breaches.
Equifax, Uber, Yahoo are just three, among many examples of companies criticized in these areas in the last year. Many more small, medium and large enterprises were negatively impacted by data breaches.
Indeed, there are few enterprise risks more harmful than unmanaged cyber risk. While the financial impacts of data breaches can be substantial, the greatest, potentially existential, threat from cyber risk is the impact of an unmitigated data breach on your company’s reputation.
Thankfully, there is a large, growing and competitive market for insurance products to address, allocate and potentially mitigate cyber risk, and many of these products are keyed to reputational risks.
This article identifies the key components of the cyber risk management process and cyber risk/data breach insurance, and describes critical provisions, variations and limitations in commercially available coverages to provide an initial knowledge base for further inquiry.
Cyber risk/data breach insurance and risk management
Defining cyber risk in the context of your specific business is the first step in managing this risk.
Companies that interact directly with the public, and companies that rely on third-party payment processors, are exposed to significant financial risk from data breaches, while those enterprises whose business model is based on confidentiality and trust (e.g., banks, law firms, doctors, insurers) are also exposed to substantial reputational risk.
The risk management process requires the management of each company to consider the “what if’s” of several data breach scenarios.
For example, what potential negative outcomes might flow from a data breach involving a community bank or credit union? Does my business model make me a target for cyber extortion? Am I compliant with applicable statutory and regulatory regimes regarding data protection?
Those and other “what if’s” and inquiries such as “how am I vulnerable” may identify operational vulnerabilities, and non-insurance risk mitigation measures (e.g., additional hardware/software protections, white hat breach or vulnerability assessments, vendor and customer contractual breach allocation measures), and help the enterprise properly assess the need for cyber risk insurance as a cost effective risk transfer mechanism.
Many businesses may benefit from receiving knowledgeable and objective input from third-party legal and other professional advisors in assessing and managing cyber risk.
Once the impact of data breaches on your business has been identified, and mitigated to the extent practicable with internal measures, it is time to consider cyber risk insurance as a risk transfer mechanism.
Key features of cyber risk insurance
If there is one notable feature of commercially available cyber risk or data breach insurance, it is the lack of standardization.
Most business owners can easily explain what is covered under their commercial general liability, or CGL, insurance — coverage for defense cost and settlements or judgments for claims involving bodily injury or property damage.
Since CGL policies are written on highly standardized policy forms, with limited variations, insureds can focus on pricing or claim service reputations in making CGL purchase decisions. The standardization in CGL policies also limits pricing variability among different insurers.
In comparison, cyber risk insurance, a relatively new line of coverage, is highly variable. In a recent experience, pricing for the same basic cyber risk liability limits quoted by four insurers varied by more than 150 percent.
Moreover, while pricing and claim service are important issues in cyber insurance, the lack of policy standardization and knowledge gaps about the operation of key provisions makes the cyber risk purchase decision fraught with uncertainty.
Ditch the jargon and focus on the protection provided
Making sure your cyber risk policy addresses the key financial and reputational risks your business faces is far more important than understanding whether a specific coverage is considered as “third-party” versus “first-party” coverage.
However, since your broker and even some insurers may use these terms in describing coverages found in cyber risk policies, a little background may be helpful.
“Third-party coverage” is used to describe liability insurance. If a third party makes a claim or sues you for the harms resulting from a data breach, third-party coverage in a cyber risk policy will address the circumstances in which the insurer will defend or indemnify its insured from such third-party claims.
The sources of such claims and suits may be the third parties whose data was breached, credit card companies who suffered fraudulent claims because of the breach, or governmental regulatory authorities charged with enforcing data breach protection laws.
By contrast, the words “first-party coverage” are ordinarily used to describe property coverages in which the insured receives payment from the insurer for damages to its own property caused by a covered cause of loss.
In the cyber risk insurance context, first-party coverages reimburse the insured for certain expenditures that the insured makes following an actual or threatened data breach. Examples of such first-party cyber risk coverages may include reimbursement for credit monitoring services the insured provides for breach victims, crisis management and/or public relations costs incurred by the insured following a breach, or even reimbursement of cyber extortion payments made to avoid a threatened breach.
By following through on the risk identification/management strategy, the business owner can assess whether a policy being considered adequately addresses the risks identified without regard to the label the insurer or broker puts on such coverages.
If there is one notable feature of commercially available cyber risk or data breach insurance, it is the lack of standardization. Pricing for the same basic cyber risk liability limits quoted by four insurers varied by more than 150 percent.
Coverage triggers, exclusions and other limitations
In buying any insurance, it is critical to understand how the coverage operates. That means understanding what circumstances are covered and how claims are processed, as well as what circumstances are not covered or under what conditions the insurer is relieved from paying a claim.
Cyber risk insurance is almost universally written on a claims-made basis — meaning that to be covered, the claim or suit against you for a data breach must be first made during the policy period.
While some cyber risk policies include multiple liability insuring agreements tailored to specific claim circumstances (e.g., “data breach event” liability coverage, “regulatory event” liability coverage), other such policies provide a single liability insuring agreement covering many different claims circumstances. Insuring agreements for so-called first-party coverages reflect a similar pattern.
Many insurers impose additional limitations based on the timing of the breach that resulted in the claim, with some policies limiting the coverage to claims where both the breach and the claim took place during the policy period (no prior acts coverage), some setting a limitation on prior acts by using a retroactive date, and others providing unlimited prior acts coverage. The inclusion of limited or unlimited prior acts coverage may be negotiable for many insurers.
Providing timely notice to the insurer of a claim or suit is also crucial. In most jurisdictions, a failure to comply with a claims-made policy’s notice provision (how soon after the claim is made against the insurer must the insurer notify the insurer of the claim) will defeat an otherwise covered claim.
The timing for such reporting can be tight, with some policies providing a complete defense to coverage if the claim is not reported “as soon as practicable.” Thus, comparing notice provisions across cyber risk policies is important.
While insuring agreements within a policy describe the circumstances under which a matter may be covered, exclusions limit such otherwise available coverage. Not only are such exclusions highly variable in cyber risk insurance, in a number of instances, the scope of such exclusions or even whether the exclusion remains may be negotiable at the outset.
Typical cyber breach policies may exclude the following:
- Claims for property damage or bodily injury (other than emotional distress)
- Claims involving intentional or fraudulent conduct by the insured
- Claims alleging infringement of intellectual property rights
- Insured versus insured claims
- Securities law violations
- Claims arising out of war, riot or governmental orders impacting the use of property
Other critical limitations must also be considered. For example, does the insurer control defense and settlement? Does the policy include a so-called “hammer” clause pursuant to which the insurer limits its liability under circumstances where the insurer and the claimant are willing to settle, but the insured business refuses?
In the first-party coverages, who selects the service provider for those covered expenses (e.g., breach notification)? The insurer or the insured business? Are there limitations in addition to policy limits on the nature of such services or approved providers?
Determining the appropriate amount of any self-insured retention or deductible and the insured’s ability to control claims within its self-insured retention are also important issues.
The definitions of key provisions in the policy may also be critical, as in many instances significant limitations may be embedded within such definitions (e.g., an exclusion of regulatory fines in some policies in the definition of covered “damages”).
Time for action is now
While some 60 percent of businesses worldwide are insured for cyber breach (up from 20 percent two years ago), we are, in all respects, dealing with an emerging market in which the lack of standardization, and indeed lack of historical underwriting data, have led to highly variable coverage provisions and pricing for cyber risk insurance.
Armed with the information here, most GCs and risk managers should be able to ask the right questions and engage outside assistance as necessary to lead to an informed initial purchase decision for this new and important line of coverage.
Joseph S. Sano is an equity partner and a member of Prince Lobel’s insurance and reinsurance, and data breach and privacy practice groups. He can be contacted at email@example.com.