With headlines of data breach incidents becoming a weekly, if not daily occurrence, it’s not surprising that many companies are considering whether they should purchase cybersecurity insurance, if they haven’t already. The need to consider cybersecurity insurance is perhaps intensified by the fact that, more often than not, carriers take the position that general insurance policies do not cover data breach claims and are taking steps to strengthen data breach-related exclusions in general coverage policies.
Companies evaluating cybersecurity insurance coverage should be mindful—all cybersecurity policies are not created equally. Unlike many other types of insurance coverages where industry-standard forms often are used by carriers, no such form currently exists for cybersecurity insurance.
The risks involved in cybersecurity events vary widely depending on a company’s industry, types of data involved in its operations and the extent of IT outsourcing arrangements. Consequently, the nature and scope of cybersecurity coverage varies widely from policy to policy and carrier to carrier. If your company is working with an insurance broker to obtain cybersecurity insurance, involving counsel familiar with insurance policy construction and the data regulatory and risk landscape is critical in assuring that the most critical areas of potential exposure are covered.
While not exhaustive, the following includes some of the more critical questions companies should be asking when they are in the process of evaluating cybersecurity insurance coverage.
Do we need coverage for hard copy documents?
Some policies may limit certain coverages only for breaches of data stored on electronic media or devices. But data breach liability can arise from hard copy documents as well. If your company needs coverage for unauthorized disclosures of confidential data on paper, you’ll want to ensure that the language of the cybersecurity policy provides this coverage.
Do we need coverage for regulatory actions and fines?
Federal and state government agencies, including the Securities Exchange Commission, are becoming more active in the arena of cybersecurity breaches. At the state level, there are 48 state breach notice laws, each carrying their own set of fines and penalties that may be imposed by various state agencies. There is also a flurry of activity at the federal level. For example, in Federal Trade Commission v. Wyndham Worldwide Corp., the Federal Trade Commission (FTC) filed a lawsuit against certain corporate entities affiliated with Wyndham Hotels, claiming that Wyndham Hotels failed to provide reasonable security measures for its customers’ information, such as credit card numbers, and allowed the unauthorized access of such data on multiple occasions. The FTC alleged that this failure violated the Federal Trade Commission Act’s prohibition on unfair and deceptive trade practices. Not all cybersecurity policies provide coverage for regulatory proceedings; therefore, if your company is seeking to insure against such risks, you’ll need to confirm that the policy includes coverage for the types of regulatory proceedings that may be triggered as a result of the company’s operations.
Do we need coverage for confidential data while it is handled by third parties?
If your company outsources any information technology functions to third parties, including through Software as a Service or cloud-based platforms, consider whether you need insurance coverage for cybersecurity incidents that arise while the data is in the custody or control of those third parties, as not all cybersecurity policies cover such incidents. In particular, the need for cybersecurity insurance coverage of such data is heightened if the risks associated with that data are allocated by contract to your company.
Do we need coverage for confidential data of corporate entities?
Much of the focus in the news regarding data breaches is on the disclosure of personal data of individual persons, such as retail customers. Coverage under some cybersecurity policies is limited to losses incurred only by "natural persons". But if your company, like most, maintains sensitive corporate or competitive information, including information belonging to corporate customers, policies aimed at covering losses of “natural persons” may not cover the losses associated with corporate data assets that are misappropriated during a data breach.
Do we need coverage for derivative claims arising from data breach incidents?
Derivative claims are claims by one or more shareholders brought on behalf of the company. These types of claims are on the rise and are generally expected to occur after a merger or acquisition. Based on recent events such as the Target and Wyndham Hotels data breaches, derivative claims also may become common in the wake of a cybersecurity breach. Shareholders may claim that directors and certain officers, such as a chief information officer, breached their fiduciary duties by failing to implement adequate IT systems and standards to prevent a breach. While derivative claims often are covered by a directors and officers (D&O) insurance policy, companies assessing their insurance coverage for cybersecurity breaches should confirm whether their D&O policy in fact provides such coverage. Having data breach-related derivative claims covered outside of or in addition to a D&O policy also may be preferred to minimize the potential reduction of insurance limits under the D&O policy by claims that may not have been anticipated as D&O risks.
There are many ways to manage and minimize the risks of a data breach incident, such as reviewing and investing in the company’s IT infrastructure, training employees on protecting confidential data and preparing a response plan to handle a data breach incident. But, as even the best of plans cannot eliminate all cybersecurity risks, cybersecurity insurance also can be an important part of managing those risks if the policy provides coverages that are appropriately tailored to the actual risks posed by a company’s particular operations.