Cyber Liability Insurance - Coverage for Data Breaches

Protection Against Network and Data Breaches

Privacy and related words inside an eye shape very shallow depth of field
Warchi / Getty Images

Does your company need cyber liability insurance? If your firm utilizes electronic data, the answer may be yes. This article explains the types of activities that can make your business vulnerable to cyber-attacks and resulting lawsuits. It also describes the coverages that may be included in a cyber liability policy.

Who Needs It?

Cyber liability coverage can be important for any company that uses electronic equipment to conduct its operations.

You may need this coverage if you do one or more of the following:

  • Communicate with customers via email, text messages or social media
  • Send or receive documents electronically
  • Advertise your company via electronic media, such as a website or social media
  • Store your company's data on a computer network. Examples of company data are sales projections, accounting records, tax documents, and trade secrets.
  • Store data that belongs to others (such as employees or customers) on a computer network. This data may include customer names and addresses, customers' credit card numbers, employees' birth dates and social security numbers, and other sensitive information.
  • Sell products or services through a company website

These activities can help your company operate efficiently and effectively. Yet, they also generate risks.  For one thing, the data you store on your computer system could be breached or damaged, resulting in lawsuits against your firm.

Secondly, you could incur large out-of-pocket expenses to repair or restore lost or damaged data.

Covers Claims Not Insured by CGL Policy

Cyber liability insurance covers lawsuits stemming from events such as data breaches, the inability to access data, or the failure to adequately protect data from thieves.

Such lawsuits aren't covered by a standard commercial general liability (CGL) policy.

For one thing, damage to electronic data does not qualify as property damage under a CGL policy. This is because electronic data is not considered tangible property. Secondly, most CGL policies contain a specific electronic data exclusion. This exclusion eliminates coverage for claims based on the loss, damage or corruption of data or the inability to use it.

For example, suppose that your company provides bookkeeping services. A virus invades your computer network and damages a client's data. The client is unable to obtain the records he needs to obtain a loan. He sues you for the damage to his data. The suit will not be covered by your CGL policy. Damage to your client's data does not qualify as property damage.

Cyber Liability Policies

Cyber liability policies protect businesses against lawsuits filed by customers and other parties that result  from security or privacy breaches. Policies vary widely from one insurer to the next.

Some cover claims alleging libel or slander, invasion of privacy, or infringement of copyright and other intellectual property rights. Note that virtually all cyber liability policies apply on a claims-made basis.

In addition to third-party liability, most cyber policies cover various first-party expenses. Here are examples of the coverages that are often included (or available):

  • Business Income and Extra Expense Covers income you lose and expenses you incur due to a full or partial shutdown of your computer system because of a hacker attack, virus or other insured peril. This coverage differs from the business income and extra expense insurance that are available under a commercial property policy.
  • Loss of Data Covers the cost of restoring or reconstructing your data that was lost or damaged due to a virus, hacker attack or other covered cause
  • Associated Costs Covers costs you incur due to a data breach. Examples are the cost of notifying affected customers as required by law, and the cost of providing credit monitoring to affected customers.
  • Cyber Extortion Covers the costs associated with an extortion threat. For example, an extortionist threatens to exploit a security flaw in your computer system or attack your system unless you pay him or her a sum of money.

Some insurers have developed separate cyber liability policies for specific types of businesses. For instance, one policy may be intended for technology companies while another is designed for health care organizations. Some insurers offer a range of coverages on an "a la carte" basis. This enables insurance buyers to select the coverages they need the most.

Obtaining Coverage

Your agent or broker can help you obtain cyber liability insurance by submitting an application on your behalf to an insurer that offers the coverage. The application is likely to ask detailed questions about your firm's computer system and how it is secured. Here is the type of information insurers typically seek:

  • Firewall Does your system have a firewall?
  • Virus Scans Do you scan email, downloaded content or portable devices for viruses?
  • Responsible Person Who is responsible for network security?
  • Security Policy Do you have a written security policy?
  • Protection Software Is your system protected by anti-virus software? Do you use intrusion detection software?
  • Remote Access Do employees, customers or others access your system remotely? If so, what system is in place to authenticate users?
  • Sensitive Data What types of sensitive data (social security numbers, credit card information etc.) do you store on your computer system? Is the data encrypted?
  • Access Do you control access to sensitive data?
  • Data Controls Testing Do you periodically test your data control measures?
  • Data Backup and Storage Do you back up your data daily? Where are the backups stored?

If you are interested in purchasing cyber liability coverage, contact your agent or broker.

Article edited by Marianne Bonner

Continue Reading...