Cyber Insurance: Does Your Business Need It?
Recently, Experian became the victim of a cybersecurity breach that compromised personally identifiable information of over 15 million people. Experian, along with Target, Ebay, Anthem, Wyndham, Sony, Ashley Madison and several others, are constant reminders that no business is immune to a breach. The increased frequency of these breaches and other cyber events causes many businesses to consider managing the risk of cyber insecurity through insurance. Cyber insurance, like many other forms of insurance, can provide businesses with some relief from the tremendous costs of dealing with a cyber event, such as a data breach and a cyber attack. Although cyber insurance is not a new concept, it is now receiving the attention it deserves.
Direct consumer suits, increased government regulation, and the potential for shareholder derivative suits expose businesses to significant threats of financial harm post breach. But even before litigation occurs, the time and money businesses are forced to expend to pick up the pieces after a breach or other cyber event are burdensome. Communications experts, forensic analysts, and business interruptions must all be considered. In the event of a data breach, adequate preparation is the most effective cost-mitigation tool, which should include obtaining insurance coverage for cyber events.
Maintaining cyber insurance is an important factor in determining compliance with legal standards of care and should be carefully considered when creating a breach response plan. The strength and viability of a business's response plan can impact what insurance coverage is available and at what cost. Examine the terms of current policies to ensure there is adequate coverage for first and third party costs associated with a cyber event. If you have a CGL policy in place, it likely does not provide coverage for cyber events. In some cases, D&O insurance may be necessary and is often not part of a cyber policy.
Identify coverage exclusions and limitations. Some policies may exclude coverage for failing to implement basic cyber security or for failing to comply with the latest industry standards and notification procedures. In addition, many policies do not cover reputational harm. For existing policyholders, an in-depth review of the policy's terms should be performed as soon as possible to determine the need for supplemental coverage. Seeking the advice of counsel with experience in data risk management and insurance will help your business adequately prepare for a cyber event.