BizTech Law Blog

5 Tips for Investigating and Purchasing Cyber Insurance

In 2016 Lansing, MI's Board of Water and Light fell victim to a cyber-attack that resulted in $2.4 million in costs, including a $25,000 ransom paid to the perpetrators. In the aftermath of the breach, BWL announced that it was filing for a $1.9 million insurance claim under its cyber insurance policy, including $2 million in covered losses, less a $10,000 deductible.

There is a lot at stake for businesses when it comes to cyber-crime, which is why more and more businesses are investigating and purchasing cyber insurance to hedge against the risks associated with cyber security and data privacy.

Businesses face challenges in selecting and negotiating the right cyber insurance policy, however. The lack of standardized policy language and the inadequacy of many “off the shelf” policies in meeting a particular business’s needs make it critical that careful thought and planning go into the selection of cyber insurance coverage.

Here are five important considerations to keep in mind when it comes to purchasing a cyber insurance policy:

1. Examine Your Business’s Needs
   The first step in purchasing cyber insurance is having a firm grasp on your business’ needs. A business must assess the type and scope of data and information that is stored and sent on its IT infrastructure, and thus potentially vulnerable to breach. This applies not only to information that is on the business’ own systems, but also those of its vendors and to the extent data is stored offsite. Doing this type of assessment will allow a business to make informed decisions about the type and scope of insurance coverage it needs.
2. Consider Your Existing Coverage
   Before purchasing a new policy, your business should examine its existing policies to determine what type of cyber risks may already be covered. Commercial general liability policies may already provide coverage for things like privacy and data breaches. Other policies commonly held by businesses such as commercial property, Directors & Officers, and Errors & Omissions, may also offer coverage.
3. Examine Cyber Insurance Options and Terms
   Serious consideration must be given to the policy's coverage, limits, and exclusions. A cyber insurance policy should cover each of the following, at minimum.
   
   
   • Costs relating to investigations, including those relating to administrative and regulatory actions.
   • Fines and penalties.
   • Remediation/crisis management, including the costs associated with a data breach. Several laws require data breach notifications, and sometimes providing credit monitoring services to affected individuals.
   While the above coverages are typically included, a number of add-ons may not be. A business must consider each type of harm it might face to understand whether cyber insurance might be able to help. For instance, some policies cover electronic extortion, network interruption, and even media liability for risks relating to copyright infringement and other intellectual property issues.
4. Don’t Lose Sight of Non-”Cyber” Risks
   While many data breaches take place over digital networks, not all of them do. Data can be stolen from a briefcase in the backseat of an unlocked car, or a banker box in a storage closet. A good “cyber” policy should also cover non-digital data such as paper records.
5. Consider the Cloud
   Some cyber insurance policies purport to limit the scope of coverage to an insured’s own acts and omissions. This is potentially problematic for any business that stores data on a third-party “cloud” network. Given the pervasiveness of cloud networks, it’s important to understand whether a policy excludes acts and omissions of third parties.
   

There are many issues that businesses must consider when investigating cyber insurance policies. There is no “one-size-fits-all” product out there. Finding the right policy to meet an organization’s needs requires a comprehensive, team approach, involving management, IT and legal. If you have any questions concerning cyber insurance, please contact us.

Categories: Intellectual Property, News, Privacy, Technology