Make no mistake, all companies—big or small—are vulnerable to a privacy breach or a network security incident. Cyber liability is the “new normal.” Cyber liability can be attributable to human error, hackers, digital espionage, data theft, denial-of-service attacks, electronic sabotage, improper employee or contractor access, computer viruses, or programming errors. Although network security incidents receive the most publicity, most insurance claims involve a breach of privacy. “Despite concern over cyber risks, many companies continue to underestimate or not recognize the potentially serious financial impact of a major cyber event.”1 This article highlights the basic nuts and bolts of cyber insurance, including the who, what, where, when and why of cyber insurance.
The standard general insurance policies—Commercial General Liability, Errors & Omissions, Business Owners, Management Liability, Crime, Professional Liability, Employment Practices Liability, Kidnap and Ransom, Internet Media Liability and Property Business Interruption and Data Loss—are not enough to protect against cyber risks. The cost of a cyber liability policy is nominal compared to the risk of uninsured or uncovered loss under a non-cyber policy.
Chubb Insurance Company’s 2012 Public Company Cyber Risk Survey found: “(1) 2 in 5 companies experienced a significant cyber security issue in a 12-month period; (2) a typical data breach in 2011 resulted in $5.5 million in organizational costs; (3) 46 U.S. states have enacted some type of security breach notification legislation; and (4) 52% of companies are dedicating additional resources toward mitigating their cyber risk.”2 In 2012, the average cost for: (1) “legal defense was $582,000, while the average legal settlement was $2.1 million”; (2) “Crisis Services, including forensics, notification, call center, credit monitoring and legal guidance, was $983,000”; and (3) Forensics was $341,000.3
The Ponemon Institute found that “negligent insiders and malicious attacks are the main cause of data breach: 39% of incident involved a negligent employee or contractor, 37% concerned a malicious or criminal attack, and 24% involved system glitches.” Malicious attacks are the most costly. The organization’s cost of a data breach was $5.5 million.”4 An example of a malicious attack, as described by Tenant Risk Services, is when a business is hacked by a local teenager who steals social security numbers and bank account details from customer files. The teenager sells the information to an Internet website, which uses the information to create false identities for criminals to use. The business incurs notification and credit monitoring expenses; and will incur legal expenses and damages from potential lawsuits.
In the 2012 Cyber/Privacy Insurance Market Survey, Betterly Risk Consultants, reported that the “average costs for crisis services (forensics, call center, credit monitoring and legal counsel) was $983,000.” According to a June 2012 study conducted by Symantec, a cybersecurity firm, “Nearly 40% of all targeted cyber-attacks take aim at businesses with fewer than 250 employees.”
Federal Rules & Guidelines
SEC Guidelines. On October 13, 2011, the Securities and Exchange Commission’s Division of Corporation Finance released “CF Disclosure Guidance: Topic No.2 – Cybersecurity.” The SEC guidelines require public traded companies to disclose “material information” regarding cyber- attacks and the costs to shareholders. The SEC guidelines require a company to disclose a “description of relevant insurance coverage.” A director and officer now has an additional layer of a fiduciary duty to exercise an increased level of corporate governance over the company’s cyber security.
FTC “Red Flags Rule.” On December 31, 2010, the FTC “Red Flags Rule” (16 CFR 681) became effective. The Rule applies to financial institutions and “creditors” with “ covered accounts.” The Rule requires the company to adopt Identity Theft Protection Programs that identify “Red Flags” or warning signals that alert a company to the risk of identity theft, and detect, mitigate, and deal with identity thefts when they occur.
Gaps in Coverage
To avoid gaps in coverage, a company should retain coverage counsel to evaluate the insurance program. Traditional insurance programs include—CGL Insurance, Property Insurance, Directors and Officers Insurance, Professional Liability, Employment Liability. Coverage counsel can assist a company determine the risks and dangers of not having the right insurance in place.
A standard business policy typically does not cover liability for loss of customer or employee data. A standard GCL policy typically covers damage to “tangible property” and some types of “personal injury” or “advertising injury.” Tangible property under a CGL policy does not coverage lost computer data and probably excludes damages arising from criminal actions committed by the insured or hackers who engage in intentional wrongdoing. A data breach does not fall under the category of fire and windstorm which often falls under the definition of “property.” The “personal and advertising injury” provision of a CGL policy has limitations as well because a data breach may not be considered a “publication” or private material.
In Eyeblaster, Inc. v. Federal Ins. Co, 613 F.3d 797 (8th Cir. 2010), an action was commenced against the insured Eyeblaster, an online marketing campaign management company, for allegedly infecting an individual’s computer with a spyware program that infected the computer resulting in among other things, data loss. The Eighth Circuit found that the allegation triggered a duty to defend under the E&O policy because the insured’s activity of causing software to be installed on the computer, while intentional, was not a wrongful act.
A Directors & Officers’ liability policy usually provides coverage to a director and officer, but a property exclusion may apply to bar coverage.
A stand-alone cyber liability policy covers the gap in coverage between standard policies. A cyber-liability policy may provide coverage for: liability for permitting access to identifying customer information, transmission of a computer virus or malware to a third-party business or customer or business partner, failure to notify a third-party of their rights under the applicable regulation in the event of a security breach; and “advertising injury” (copyright infringement, libel and slander).
Without cyber liability insurance, carriers are defending their rights and commencing declaratory judgment actions to enforce the uncovered loss under a standard CGL policy.
In April 2011, hackers attacked Sony’s PlayStation Network and 77 million records were exposed. Sony filed a claim with its carrier Zurich American Insurance Company to defend and indemnify the company from class-action lawsuits, miscellaneous claims and regulatory investigation under the primary and excess CGL policies. Sony’s remediation costs for the breach are approximately $170 - $173 million. In July 2011, Zurich filed a declaratory judgment action in New York Supreme Court to maintain its denial of coverage under the CGL policies, thus absolving Zurich of its obligation to defend and indemnify Sony against the data breach claims. Zurich argued that the CGL policy does not cover Sony for damages arising from cyber incidents. The GCL policy covers “bodily injury” and “property damage” caused by occurrences other than cyber-attacks. Zurich American Ins. Co., et al. v. Sony Corp. of American, et al., Index No. 651982/2011, New York County Supreme Court.
In 2012, Arch commenced a coverage litigation action against Michaels Stores, Inc. Michealse Stores allegedly failed to safeguard PIN pad terminals, which allowed criminals to fraudulently access and use customers’ credit cards and debit card information. Arch alleges that the CGL policy excludes electronic data from the definition of “tangible property.” Arch alleges that coverage is further denied under the CGL policy’s exclusion for loss “arising out of the loss of, loss of use of, damage to, corruption of, inability to access, or inability to manipulate electronic data.”
Overall, traditional policies do not cover all loss. First, a CGL policy only covers “tangible property” and usually has an exclusion for electronic data; and excludes claims arising out of “blogs” a company owns or hosts. Second, a property policy usually covers loss of business income if there is direct physical damage to property, not damage caused by hackers that shut down an operation. Third, crime policies do not cover claims for damage to intangible property and there is usually an exclusion for loss of confidential information. Fourth, a D&O policy typically excludes claims arising out of bodily injury including emotional distress, property damage and personal injury. And finally, other than a cyber insurance policy, traditional policies do not cover notification expenses.
Types of Coverage Provided
A cyber liability policy is usually a “claims made” policy. Coverage is triggered if first, the claim arises within the policy period, and two, the insured must report the claim to the insurer within the policy period and any extended reporting period. The policy generally covers:
Liability — Coverage defense and settlement costs arising out of the insured’s failure to properly care for private data, business interruption, and software or hardware replacement.
Remediation — Coverage for crisis management, public relations, customer notification, and credit monitoring, forensic investigation, and regulatory compliance.
Fines and/or Penalties — Coverage for costs to defend a lawsuit, pay judgment and settlement, regulatory investigations.
Intellectual Property — Coverage for copyright infringement, trade or service infringement, and patent infringement.
Other Coverages — Virus, unauthorized access, security breach, personal injury, and loss of use.
First Party Coverage (Property and Theft)
First-party claims are brought against an insured by those whose private data has been breached. Loss may include: financial loss arising from damage, destruction or corruption of a company’s information assets (e.g., customer lists, privacy information, business strategy, competitor information, product formulas or trade secrets), loss of revenue, operating expenses incurred due to a denial of service, restoring or recreating stolen data. Coverage under a cyber policy includes: liability for privacy and confidentiality breaches; copyright, trademark, and defamation; malicious code and viruses; business interruption, network outages, computer failure; attacks unauthorized access, theft, web site defacement and cyber extortion; and intellectual property infringement.
Third Party Coverage (Privacy and Data Security)
Third-party claims are brought against an insured by customers or other third parties if the alleged loss results from a “wrongdoing” by the insured company in connection with computer system, internet or other information-related matters. These types of claims can range from liability against a company, its directors and officers (e.g., mismanagement or breach of fiduciary duty) or employees (e.g., company’s presence on the web, negligence performance of professional services, transmission of malicious code or denial-of-service attack). Other claims include theft of customer information (e.g., credit card information, financial information, health information or other personal data) trademark, copyright, libel, invasion of privacy, and transmission of malicious code, and customers suits.
3. Mark Greisger, President of NetDiligence, “Cyber Liability & Data Breach Insurance Claims: A Study of Actual Payouts for Covered Data Breaches.
4. Ponemon Institute LLC, Report: March 2012 “2011 Cost of Data Breach Study, United States