An upsurge in cyber attacks and ransomware is costing businesses millions of dollars and causing immense reputational damage, increasing costs and requirements for cyber insurance coverage at a time when businesses need it more than ever.
In 2020, corporate ransom payments increased by more than 300% from the previous year and totaled more than $ 350 million. This trend continues in 2021, as cybercriminals take advantage of the confusion and vulnerabilities exposed or exacerbated by the ongoing pandemic. Since the impacts of cyber attacks and ransomware can be devastating, companies looking to mitigate these risks look for stand-alone cyber insurance policies.
There are several key considerations to keep in mind when choosing a policy or obtaining additional coverage.
What is cyber insurance?
Traditional insurance policies weren’t designed to cover many of today’s cyber risks. Such policies (for example, commercial liability, professional liability, errors and omissions, directors and officers, and kidnapping and ransom) generally do not contain an explicit grant of coverage for these risks. And in recent years, insurers have added cybersecurity exclusions to some policies and / or changed the wording of policies to decline coverage for cyber risks.
To avoid any uncertainty as to where businesses can find coverage for cyber risks, insurers are offering increasingly robust stand-alone cyber policies. Cyber policies manage the potential exposure of policyholders, for example, to data breaches, ransomware attacks, theft or loss of unencrypted assets, insider threats, denial of service attacks, cyber attacks supply chain, business email compromise, exploitation of misconfigurations of the cloud and other nation-state and cyber criminal activity.
The scope of cyber policies can vary widely, and companies should regularly review their insurance contracts to ensure coverage adequacy as the cyber threat landscape evolves.
In light of the changing cyber risk landscape, insurers are also reassessing the coverage they can afford to offer, taking a closer look at policyholder cybersecurity programs and increasing premiums up to $ 30. % or more per year, according to a study by the United States Government Accountability Office.
What does cyber insurance cover?
Property and casualty insurance policies generally cover both first and third party losses.
First party coverage directly protects the insured against damage and loss, including coverage for:
- Post-incident forensic investigation;
- Data recovery and restoration, including negotiation and payment of a ransomware claim;
- Notification of violation to comply with legal and contractual obligations;
- Credit monitoring and identity theft protection services for those affected by the incident;
- Management of public relations and communications to mitigate potential damage to reputation;
- interruption of network activity; and
- Legal fees related to the notification of violation.
Third party coverage, on the other hand, deals with the liability of the insured to others. Such liability may arise from settlements of disputes or judgments, civil penalties resulting from regulatory investigations and contractual obligations to indemnify customers or business partners.
When selecting cyber coverage, it is essential that businesses understand the types of risks they are likely to face in the event of a serious cyber incident.
What is beyond cyber insurance policies?
As with traditional policies, cyber policies contain important conditions, limitations and exclusions and do not cover all types of claims or losses.
Typically, cyber policies do not cover the costs of improving internal systems, such as software and hardware upgrades, or future lost profits. Personal injury and property damage may also fall outside the scope of cyber policies. Many policies exclude coverage for government fines and penalties.
Key considerations when evaluating policies
In addition to considering the appropriate amount of cyber insurance to purchase, it is important to carefully consider the terms. Key legal considerations when choosing cyber policies or additional coverage include, but are not limited to, the following:
Complaints and Events Policies
On-demand policies are triggered by claims made by the insured during the active period of the policy (or the extended reporting period). Incident policies are triggered by events during a specific insurance period, regardless of when claims arising from those events are made by the insured.
By covering both direct losses and third party losses, cyber policies are a bit of a hybrid and require special attention to the insurer’s information requirements.
Exclusion for acts of war and terrorism
Cyber policies can exclude losses resulting from acts of war or terrorism. It should be considered whether your insurance will apply in certain cases of nation-state sponsored or politically motivated attacks, especially given the increased willingness of the federal government to name and dishonor countries for cyber events. specific.
Known cyber risks
Cyber policies often exclude coverage when the insured knew or reasonably should have known of a specific cyber incident or risk before the policy was taken out. Since some types of cyber attacks start months before they are discovered, it is important to pay attention to policy provisions regarding dates of discovery, as well as exclusions for pre-coverage events. Obtaining coverage should begin long before a specific risk arises.
Coverage for surveys
Many cyber incidents will involve investigations by government agencies, including state attorneys general, the United States Federal Trade Commission, and industry-specific regulators. Check to see if your policy will cover responses to these kinds of pre-litigation inquiries.
With cyber attacks and ransomware incidents becoming more prevalent and increasingly disruptive, it is essential that businesses examine their risks and consider whether their existing insurance policies cover probable cyber risks.
This column does not necessarily reflect the opinion of the Bureau of National Affairs, Inc. or its owners.
Write for us: Instructions for authors
Michelle kisloff is a litigation partner in Hogan Lovells’ Washington, DC office. She leads the firm’s privacy and data security litigation practice and represents clients in privacy and data protection and regulatory enforcement disputes.
Jasmeet ahuja is a senior partner in the firm’s New York and Philadelphia offices. An engineer with nearly a decade of national security experience, she represents clients in areas ranging from cybersecurity incidents to complex antitrust litigation.
Andrew Bank is a senior partner in the Washington, DC office. He represents clients in commercial litigation and arbitration, with a focus on privacy and data security disputes.