The SolarWinds cyber-attack is on everyone’s mind this week, given that most experts believe this cyber-attack will have broad impact across both the public and private sectors. For more details about the SolarWinds attack, please read this. The sheer breadth of this attack led me to reflect on the role of cyber-liability insurance for businesses and why it is critical to understand key policy terms, coverage, exclusions, retention amounts and deductibles.
The initial work begins for businesses when they are selecting the appropriate cyber-liability insurance coverage. It is critical to think about the type of business it is and the nature of the data it possesses. Does the business handle protected health information, social security numbers, sensitive personal information, or biometric data? If so, these are some of the highest risk types of data that need protection. It is important to align risk with policy coverage and limits.
While there is no “standard” cyber-liability insurance policy, most policies provide coverage for financial losses as a result of a data breach or other unauthorized access or disclosure of personal or protected health information. Data breaches are not the only way a business can be damaged in a cyber-attack, however. Some insurance companies offer additional endorsements or specific policy provisions and coverage for losses caused by various other means such as social engineering (i.e., a breach caused by phishing), specific coverage for credit card losses, and denial-of-service attacks, such as ransomware. As we have noted many times in this blog, ransomware is probably one of the biggest threats to businesses today. Will the policy pay ransomware costs?
It also is important to determine whether the policy covers costs associated with breach response, including forensic and legal costs. Cyber policies typically cover breach response costs for first-party losses, which are direct financial losses to your business, whereas third-party losses include those losses claimed by others, e.g., vendors, clients, or customers who claim injury as a result of the data breach. The bottom line is to always check with your broker and read the policy language carefully to determine what is covered. It is important to understand the exclusions in a policy as well.
Coverage and retention amounts also are important, as the cost of a data breach can be very high, depending upon how many people are affected, the type of data breached, the number of regulated entities to be notified, the amount of forensic and legal costs, and whether call center and credit-monitoring services are offered. Sometimes a $50,000 coverage amount for social engineering fraud simply will not be sufficient to cover all of these expenses.
If your business is hit with a cyber-attack, depending on the circumstances, it is important to understand the obligations in the policy as you notify your broker and the insurance company. Policies typically have notice provisions, even if you are still gathering all of the facts. Timing is important, so before retaining experts for remediation, you may need to notify the insurance company of the claim or potential claim. Many policies have a breach response team ready to assist you. If you want to retain your own legal counsel or other experts to assist in your response, you will likely need the insurance company’s approval. Once the breach response experts are in place, they will guide your business along all of the necessary steps with respect to remediation, breach notification to regulators and affected individuals, call center activation, and credit monitoring.