Are you covered? Here are 6 things to know about cyber liability insurance (also known as data breach insurance):

  1. Coverage is still evolving. Over 60 insurance companies – maybe more – offered such a policy; however, to date, policy forms have not been standardized as compared to other insurance types where ISO has created, and insurers have largely adopted, standard forms. Every cyber policy is at least a little different and requires individualized review.
  2. Coverage can depend on whether the breach was to a client's information or the company's (and employee's) information. While generally, cyber policies provide coverage for various types of harm related to information misuse/theft usually regardless of format (e.g., electronic or paper), many policies make distinctions between third party liability (e.g., a third party making a claim against the insured) and first party liability (losses the insured experiences including from employee claims) of various types. Notably, a claim made by an insured's employee may not be covered by third-party policy coverage. This is because such claims are considered to be "first party" claims by policy definition – an employee of an insured is an insured and therefore excluded as a first party claim. Policies vary; sometimes first and third party coverages overlap, sometimes they do not. It is important to obtain cyber insurance with "complete" coverage – a policy or policies that covers employee claims in addition to third party claims or at least make the strategic decision not to purchase "complete" coverage.
  3. Typical commercial general liability ("CGL") policies do not provide coverage for most cyber risks. Some case law has found that certain parts of CGL policies do provide some coverage at the margins (usually under Part B, advertising injury coverage). However, CGL should not and cannot be relied on to provide cyber coverage in the main, and should only be considered a last resort, "long shot" coverage for cyber losses when no other more applicable policy is available.
  4. Ransomware and/or Regulatory payments may not be covered. While policies vary, most will not reimburse you for payments that you may make to pay ransomware. Moreover, the Federal Trade Commission has filed almost 60 enforcement actions related to lack of data security in the past several years. Here again, policies vary regarding paying for regulatory enforcement fines. 
  5. Cyber policies may or may not provide previously identified experts to help you with a breach. Some policies—similar to an automobile policy that provides a "defense" as part of its basic coverage—provide previously identified professionals to help you with the breach, for example, forensics, crisis communications specialists, and breach attorneys. If your policy does not, you should identify and usually retain such professionals now (consistent with the policy of coverage) rather than wait for the crisis to occur.
  6. Obtaining cyber insurance is easier if the company has policies and procedures in place to govern privacy, data security and a breach plan. The issuance of a cyber-risk policy is much like any other policy in that the insurance companies base their premiums on the underwriting of the risk. Risk is increased without adequate controls and plans in place. As such, having a plan in place will usually aid in procuring the policy.

BONUS: The Department of Homeland Security offers free tools regarding cybersecurity issues that may be useful to you: https://www.us-cert.gov/ccubedvp/business.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.