What cyber risks is your company exposed to and what insurance options are available? How much of your customers’ or clients’ personal financial or health information is stored in electronic form in your company’s computer systems?
As you collect more pieces of electronic information, the risks of that information falling into the wrong hands can also increase. This is especially true when the wrong hands could be thousands of miles away typing on a keyboard.
The list of cyber risks is always fluid and ever increasing in depth and scope. Such risks include identity theft resulting from security breaches, business interruption from a hacker shutting down a network, damage to data records, theft of digital assets, the introduction of malware or viruses, the cost of credit monitoring for people impacted by a security breach, and even something as simple as human error resulting in inadvertent disclosure of sensitive information through email. Cyber risks can originate from an individual in their basement, to activists making a statement, to opportunists looking for notoriety, and even nation states and terrorists. The risks and the perpetrators are diverse and extensive.
Commercial General Liability polices do not typically cover such cyber risks, which can leave a company exposed to these ever-evolving risks. Cyber liability policies have been, and are being developed, in an attempt to cover these cyber risks. Cyber coverage can include expenses related to cyber extortion or terrorism, or the costs associated with breaches of your customers’ privacy. Cyber liability policies can also cover liability for the loss of confidential information resulting from unauthorized computer system access or the costs associated with replacing and restoring business assets that were stored electronically. Finally, cyber insurance can be written to cover business interruptions resulting from a cyber security breach.
While cyber insurance policies are becoming more common, companies cannot assume their cyber policy covers all of their current cyber threats. There are still gaps that can develop in coverage. These gaps are products of an ever-changing threat matrix that evolves with the always-increasing growth in technology.
Recent court decisions have exposed the risk of these coverage gaps. These include a large restaurant chain seeking coverage for card payment industry data security standard assessments, but could not prove this was included in its cyber policy. This resulted in $2 million in fees and assessments that were not covered.
Another recent case involved whether a crime policy covered a complex cyber-criminal scheme. A court held that a multi-million dollar wire to a fraudulent bank account was not covered because it resulted from human error and not a “direct result” of an email.
In another example, a grocery store was sued by a credit union after credit card accounts were stolen. This theft resulted in reimbursement costs to customers for fraudulent charges, the reissuance of cards, and even claims for the loss of good will. While the policy covered a first-party loss of the grocery store, it did not cover the third-party loss resulting in the credit union suit.
Any potential cyber coverage gaps should be analyzed as a company’s technology use and business structures change. Companies can often find themselves moving forward in business and technology, but be less diligent in pursuing the proper coverage. This is especially true in the relatively new arena of cyber risks and cyber insurance.
Barnes & Thornburg LLP is a large, full-service law firm that seeks to take a more entrepreneurial and cost-effective approach both to client service and its own business.