In the current maelstrom of data breaches, Federal Trade Commission enforcement actions and calls to secure data, insurance carriers are pushing out more and more cybersecurity products each year. Unfortunately for the buyer, while there are many cyberinsurance products and services, there is little uniformity in language, definitions and terms of coverage. As the potential cost of data breaches becomes more extensive and expensive, insurers are naturally attempting to limit their exposure. It is therefore advisable to consider the following when considering purchasing cyberinsurance:
(a) Not all policies are the same: Because of the lack of uniformity of cyberinsurance policies, it is important to read them in their entirety. Do they cover what you want them to cover?
(b) Evaluate your risk: Before determining how much and the types of coverage to buy, evaluate your risk. What are you currently doing to prevent data breaches, and how likely is a breach? In the event of a breach, what information is at risk? What is the likely cost to (i) stop the breach, (ii) perform any forensic analysis, (iii) hire legal counsel, public relations, or other consultants, (iii) respond to regulators, if any, (iv) provide notices to affected customers and state authorities, and (v) pay for damages to customers, pay fines or provide credit monitoring services to customers in the future?
(c) What coverage or indemnities do you have from your vendors?: Have you reviewed your contracts with your vendors in the event they suffer a breach that affects you? Will your cyber-coverage protect you in that event?
(d) What are the policy’s sublimits or deductibles and when are they applicable?: Certain types of coverage arising from data breaches may be subject to sublimits or substantial deductibles. So while you might think you have adequate coverage, you may be responsible for substantial deductibles or self-insured retentions before coverage kicks in, or sublimits in the policy may apply to limit the available coverage depending on the types of losses or damages suffered.
(e) Arbitration Clauses: Does the policy contain mandatory arbitration clauses in the event of a dispute with the carrier, and, if so, where will arbitration be held and who bears what costs?
(f) Does the policy cover first-party loss and third-party damage claims? Data breaches can result in all kinds of losses and claims. Carefully scrutinize policies to evaluate their coverage of both first-party loss (your costs of responding to a breach) and third-party issues (i.e. defense of claims, damages, regulatory responses and investigations, fines and penalties to others).
(g) Where does cyberinsurance fit in with your other coverages? Look at your other insurance (i.e. D&O, E&O, Business Interruption) and evaluate how cyberinsurance dovetails (or not) with those policies.
(h) Understand that cyberinsurance likely does not cover everything. While cyberinsurance can help protect against, and defray costs of, dealing with a data breach, there are some things it will not cover. For example, cyberinsurance generally will not cover damages such as loss of reputation (which could result in lost revenue), that might arise from a breach.
In short, you should not buy cyberinsurance without knowing why you are buying it, i.e. what you are trying to protect and from what. Cyberinsurance is not like auto insurance. Because cars have been around for over a century, automobile policies have become fairly standardized. Cyberinsurance is relatively new, and standardization has been slow to materialize. Thus, purchasing decisions regarding cyberinsurance should be made only after careful consideration.
