Insurance Update: Insuring Your Business Against Cyber Risks (Part One)

Emergent partner Peter Roldan not only litigates insurance coverage matters, and provides advice to other attorneys on insurance issues in their cases, but also advises companies on how to avoid gaps in their insurance and how to maximize their coverage.  Below is the first in a series of posts from him on the inceasing need for cyberinsurance.

Data breaches. DDoS attacks. Ransomware.

Ask any IT professional and he or she will tell you that these are some of the biggest cyber risks that their clients face.

As businesses continue to move more of their operations online and into the cloud, they need to prepare for these threats just like they would any other disasters.

For most businesses, that means obtaining insurance, and many business owners have heard that their businesses need to carry cyber-insurance coverage.

But what exactly does cyber-insurance cover that isn’t already covered under standard commercial property or commercial liability policies? Does your business actually need an additional, specialized insurance policy? These days, the answer is mostly likely “yes.”

Almost all businesses face exposure to cyber risks that are not covered under traditional lines of insurance, and these risks can result in losses that would be difficult to absorb. In a worst-case scenario, it could mean the end of a business.

Of particular concern are risks relating to data breaches, denial of service attacks, data loss or ransoming, and hacking. Businesses that provide online content or that are heavily involved in social media activities also face additional risks that are often excluded under standard commercial liability policies.

In this multi-part series, we’ll help business owners to better understand the risks that are covered (and not covered) by these policies, and provide them with the tools to ensure that claims are paid when a loss occurs.

What Is Cyber-Insurance?

Insurers offering cyber-insurance coverage typically provide coverage under their own unique policy forms (unlike commercial general liability coverage, which is usually written on policy forms using standardized language). Because each insurer is using its own forms, there’s no such thing as a standard cyber-insurance policy.

These policies often provide both property/casualty (first-party) and liability (third-party) coverage for cyber risks:

First-Party Coverage:

● Distributed denial of service attacks (DDoS)

● Damage to networks and equipment

● Data loss

Liability (Third-Party) Coverage:

● Data breaches

● Internet/media activity

● Regulatory action and statutory violations

In addition to stand-alone cyber-insurance policies, some limited coverage for cyber risks can also be included as endorsements to more traditional first-party and third-party policies. Before purchasing a cyber-insurance policy, it is a good idea for business owners to review their policies with an insurance professional in order to determine what is already covered and to identify the potential coverage gaps.

In our upcoming posts, we’ll examine some of the specific coverages that apply to cyber-risks, starting with data breaches, as well as the issues businesses should be aware of when applying for and purchasing cyber-insurance policies.