The growing exposure from data breaches and ransomware, along with the tightening of federal and state privacy laws, is creating a tsunami of risks and loss that few companies would have contemplated just a few years ago. These are losses that can impact a wide range of organizations -- from giant retailers to manufacturers and small and midsized businesses.
For information security teams working to stay ahead of the curve with the best and most sophisticated cyber defense strategies, it’s a constant battle. But in the face of a massive breach, like recent attacks against Target, Home Depot, and JPMorgan Chase, companies are also starting to look seriously to cyber insurance as the ultimate in infosec liability protection. Whether cyber insurance is adequate to address these multiple risks is another question.
What’s in your existing insurance?
A robust risk management assessment is the first step to uncover the coverage gaps in your company’s insurance program. A general liability policy is an industry standard, and it provides liability coverage for bodily injury, property damage arising out of an insured’s operations, products, or premises, as well as personal and advertising injury. However, these policies were never intended to provide coverage for liability and first-party notification expenses resulting from the disclosure of personally identifiable, confidential corporate, or personal health information. In fact, insurance carriers have recently begun adding exclusionary endorsements to ensure that their policy language does not provide coverage for any of these potential claims.
In response to this gap in coverage, the insurance industry developed cyber liability policies. The structure of these policies mirrors a standard business automobile policy in that they provide coverage for both third-party liability claims against the insured and first-party claims the insured make against their own policies. However, many off-the-shelf cyber liability policies feature a variety of broad exclusions companies should be aware of, including:
No coverage for breaches of protected information in paper files. Despite the name, a cyber liability policy can and should cover breaches of protected information on paper files in addition to electronic records, yet some policies don’t.
No coverage for claims brought by the government or regulators. A large exposure for most companies is the potential legal action brought by the Office of Civil Rights, the Department of Health and Human Services, and the Office of the Attorney General, among others. Failure to provide at least defense cost coverage or coverage for fines and penalties can leave a gap in protection.
No coverage for vicarious liability. When a company entrusts data to a third-party vendor (e.g., a third-party processor or cloud provider) and the breach occurs on the vendor’s system, you’d expect to be protected. However, some cookie-cutter cyber liability policies won’t cover this.
No coverage if you fail to encrypt data. This exclusion forces encryption of data or else no coverage is provided.
CISOs are well aware of the fact that it’s not a matter of if but when their companies will be hacked, and to what degree. In an era of tightening security budgets and heightened risk, it’s critically important to take a hard look at whether current cyber liability policies can both help companies get out of tough situations and keep them moving in the right direction.