Target, Home Depot, Sony, Anthem. All of these companies have been victims of very public cybersecurity breaches. Given what we know about those breaches, how can any other company know that it is safe from a cyber attack? No firewall appears to be unbreachable and no security system impenetrable.
No company is big or small or traditional enough to avoid such exposure, as long as the business receives or transmits data or uses computer networks. And, the harm from such attacks is not just bad publicity and possible job losses for those whose files are hacked, but there are very real, and substantial, costs that are incurred by companies when they suffer such attacks.
For instance, there is the forensic costs required to investigate, detect and repair the breach. There is the potential lost income to the extent a part or all of the business is shut down for any significant period of time. And, there is the cost to remedy the damages to third-party customers and employees. There also may be substantial liability to those third parties as well as potential exposure of the company’s directors and officers if there are claims that not enough was done to protect the company from such exposures.
One response obviously is to engage in computer security experts to attempt to protect against such attacks. That, however, may not be enough and the attacks may still be successful. The next line of defense is to make sure that the company has sufficient insurance to protect against the potentially substantial costs of such an attack.
But, what kind of insurance should a company get? Unfortunately, there is not a simple answer to that question and, just like with network security experts, it is necessary to consult sophisticated insurance coverage experts on this issue in order to make sure a company has the correct coverage.
Cyber insurance coverage definitely is not a one-size-fits-all commodity. At last look, there were more than 50 companies offering standalone cyber insurance policies.
Those policies are not all identical. In addition, many traditional, legacy policies may provide coverage for at least some of the exposures created by cyber security risks, to the extent such coverages are not excluded by recently added endorsements given the insurers’ concern about such exposures.
Each company needs to carefully evaluate what kind of insurance it needs to protect against the types of exposures it faces. And, unfortunately, not only are all of these policies different from each other, many of the policies, themselves, contain significant potential barriers to the kinds of coverage that companies truly will need.
Some of the issues to consider include:
Does the coverage to be provided protect against claims arising out of bodily injury or property damage (for example, caused by a cyber attack on a factory or transportation device, such as a train, plane or automobile, or on the traffic signals or water system operated by a municipality) or are they limited to expenses and costs responding to the breach itself?
Does the policy cover forensic expenses, which can be very considerable in terms of identifying the cause of the breach and determining the identity of persons impacted?
Does the policy provide coverage for business interruption loss, including extra expense incurred to operate in the interim and how is such interruption defined? For instance, what if the service has just been severely degraded, but there is still some functionality?
What is the retroactive date for such coverage? How far back can the attack have taken place and there would still be coverage? For instance, many breaches may have been caused by the insertion of malware that took place long before the inception of the policy, but the actual harm was not discovered until much later. And, how does the policy even determine how the breach was caused if it is not easy to isolate and identify a cause?
What if the policy contains a “due diligence” requirement regarding the security of a company’s network and systems? Will a carrier deny coverage if the network is breached, anyway? If so, does all such coverage become illusory?
Finally, does the insurance policy cover only claims arising from the theft of third parties’ confidential information, such as bank accounts and personal health information, but does it also cover the loss to a company’s own confidential information, such as what happened with the Sony attack, in which its own reputation may have been damaged as well?
The conclusion is that companies need cyber insurance coverage and also need to be very careful that they are getting what they actually need.