Cybersecurity experts have observed that hackers and cybercriminals are increasingly targeting small and medium-sized businesses and that these efforts account for 60% of all cyberattacks. One expert described these companies as the “soft underbelly” of cybersecurity. Companies of all sizes face potentially significant costs in responding to a data breach and losses including business disruption, lost revenue and loss of reputation. The average time to resolve a cyberattack has been estimated at 46 days and costs can increase if the damage is not resolved quickly.
Such expenses could be catastrophic for small or medium-sized businesses so it is important for such companies to understand the insurance implications and select the appropriate coverage to protect against losses from a cyberattack.
Most small and medium-sized businesses have some form of traditional property and general liability insurance in place to protect against a variety of losses. The products and coverage options vary but these policies typically include commercial general liability (“CGL”) insurance or a package policy containing property and general liability coverage. Traditional business liability insurance generally provides coverage for third-party claims for bodily injury, property damage and personal and advertising injury, while traditional property insurance provides coverage for the insured’s own “property damage” as defined in the policy.
Traditional CGL and property insurance was not specifically designed to cover cyber risks and courts in the United States have been inconsistent in their rulings regarding whether these risks are covered under such policies. For example, some courts have held that the definition of “property damage” in CGL policies does not include the loss of customer data because it is not considered “tangible property.” Other courts have held that claims for loss of data are covered under a CGL policy if asserted by a third party seeking damages while another court held that lost computer files can be considered a “direct physical loss” under a property policy. Courts are also split on whether CGL policies cover third-party data losses as “personal and advertising injury” and have disagreed on issues such as whether the term “publication” includes a hacker’s release of stolen information. Conflicting rulings have also been issued regarding whether exclusions for violation of federal and state privacy statutes bar coverage for cyber losses. One reason for the inconsistency in the case law is that the decisions are based upon the specific facts and policy language in each case.
Following a series of high profile cyberattacks, including the breach of Target’s customer information in 2013, the insurance industry began to incorporate policy exclusions designed to preclude coverage for certain cyber losses into traditional liability policies. While litigation concerning the scope and validity of these exclusions is ongoing, the takeaway is that coverage for such losses under traditional business policies is uncertain. Given this uncertainty, reliance on traditional insurance to protect a company in the event of a cyberattack may be risky and could expose a company to potentially devastating costs if they are not covered.
In response to early cyberattacks, the enactment of laws relating to data and privacy breaches and questions regarding whether traditional insurance would cover cyber losses, the insurance industry began to offer cybersecurity insurance policies in the mid 1990’s. Over 60 insurance companies now offer cybersecurity insurance products.
Unlike traditional business insurance, cybersecurity insurance policies are specifically designed to cover cyber losses and can be tailored to meet the specific risks or needs of a company or industry. Insurers currently offer a number of different cybersecurity insurance products including stand-alone policies and endorsements to traditional business package policies. Insurers may also offer varying policy limits and retentions/deductibles designed to address a company’s level of risk and financial situation.
In contrast to the language of traditional policies, which have been refined through years of regulation and litigation, the language of cybersecurity insurance policies is not uniform and tends to vary from insurer to insurer. That said, cybersecurity insurance typically includes third-party and first-party coverage for cyber losses. Third-party coverage generally includes the cost of defending and paying claims by third parties as a result of a data breach. First-party coverage generally includes coverage for costs incurred by an insured as a result of a data breach including expenses for investigation, regulatory compliance, legal assistance, business interruption and customer notification and protection. Cybersecurity insurance policies may contain exclusions and conditions which limit coverage so it is important for the insured companies to review and understand the provisions in their policies.
The quality and cost of cybersecurity insurance may depend on a company’s ability to prevent and respond to cyberattacks. Some insurers evaluate the potential risk by investigating a company’s network security and cybersecurity procedures so it would be wise for businesses to consider evaluating and improving these items before applying for cybersecurity insurance.
Given the increase in the frequency of cyberattacks on small and mid-sized businesses, the potential costs involved in a data breach and the uncertainty of coverage under traditional insurance policies, it is important for companies to understand the insurance implications and determine whether they have adequate coverage for cyber losses. Simply having cybersecurity procedures and strong network security in place is not enough in today’s business environment, particularly for companies which handle and store certain types of financial or confidential information.
In order to evaluate these issues and protect against the costs of a cyberattack, companies should consult with their insurance broker to determine whether the current coverage is sufficient in light of a company’s business and to discuss potential cybersecurity insurance options if such coverage is needed. Where the coverage is uncertain or there are more complex questions concerning a company’s business, consideration should be given to retaining a cybersecurity consultant and legal counsel to further evaluate the risks involved and coverage that best addresses those risks. Having adequate insurance is just one of the components needed for a small or medium-sized business to properly prevent and respond to a cyberattack and could be the difference in surviving a data breach.