It is impossible to turn on the news today without hearing about cyber security. Data breaches and cyberattacks have become almost a constant threat. As a Miami Insurance Law Firm, we have seen an increase in cyber liability. And it is not just huge corporations that are targeted by cybercriminals. Small businesses are also susceptible to events that can damage reputations and put customers and employees at risk. One of a company’s most valuable assets is its data, and it is important to know that there are specific insurance products available that can not only provide the traditional risk transfer function but can also help your business identify cybersecurity gaps and opportunities for improvement.
How is Cyber Liability Covered
While many cyber liability claims are submitted under commercial general liability (CGL) policies, such claims can also trigger directors and officers (D&O), errors and omissions (E&O) and other policy types. Typically, insurance companies argue that cyber liability, such as claims arising from data breaches involving sensitive customer information, is excluded from coverage under general liability policies. Some insurers are adding cyber-specific exclusions to traditional insurance products. Some courts have concluded that traditional polices do not cover cyber losses.
Today, many insurance companies offer risk-specific cyber insurance policies designed to protect policyholders against data breaches and other cyber-related risks. Roughly 30% of companies currently have some form of cyber insurance. Coverage can protect against first party losses (direct losses to the policyholder) and third-party claims (policyholder liabilities to third parties). First party claims may expose companies to business interruption losses; business income losses; data asset protection (costs to restore and recreate data); responses to cyber extortion; costs associated with forensic investigations; costs to notify the public; credit monitoring; and public relations campaigns. Third party claims may expose companies to privacy liability; security liability; and regulatory body investigations.
How Insurers Judge a Company’s Cyber Risk
Because cyber threats are constantly evolving, it is very difficult to predict cyber risk. However, in evaluating risk, insurers will look for a company to have basic security practices, including installation of firewalls and anti-malware software, enforcement of safe password practices, as well as documenting a crisis management and response plan. In this way, the risk evaluation process could itself lead to greater cybersecurity. Indeed, it is critical that companies present themselves to a potential insurer in the best possible cyber risk management posture. Moreover, coverage should be as broad as possible (look for an all-risk construction), to protect against the ever-evolving cybersecurity threats and the high exposure claims cyber liability can involve.
When is Cyber Liability Coverage Triggered
In the context of a data breach, the issue of when the policy is triggered is not always straightforward. For example, a third party or customer will not likely know their information has been breached until the company notifies them, at which time they may bring a claim. Thus, the costs incurred by the company to notify customers or third parties of the data breach may not be covered as the insurer is likely to argue that these costs were incurred before a claim was made, so coverage had not yet kicked in. To avoid this scenario, look for a policy that is triggered upon the discovery of a data breach.
Let Miami Insurance Law Firm Ver Ploeg & Marino Help You Navigate the Complex Cyber Liability Arena
If you are faced with a coverage dispute with your insurance carrier involving a cyber liability claim, or need assistance with risk management, we welcome you to contact VPL at 305-577-3996 or via email.Share