Recently, however, insurance companies have begun to offer policies specifically designed to provide coverage for data breaches, cyberattacks and similar incidents, so-called "cyberinsurance." This line of coverage is relatively immature, and has been evolving over the years. In general, coverage can be obtained for a variety of costs, such as crisis management and public relations expenses, notification to affected parties, credit monitoring services, call centers, computer forensic investigations, as well as losses attributable to an interruption in business and network failures. Coverage for the restoration or recollecting of lost or damaged data is available. Some policies also provide access to "breach preparedness" information to help to alert policyholders to potential issues.
Mike Donovan of the Beazley Group, a leader in the cyberinsurance market, notes that most companies who experience a breach have never dealt with anything similar before, and decisions must be made quickly and correctly to mitigate reputational damage, satisfy regulators and limit potential liability. Beazley's coverage includes providing access to its panel of experienced privacy and data breach lawyers, computer forensic consultants, crisis management professionals, notification companies and credit monitoring companies to spring to action in the event of a breach.
Coverage under cyberpolicies can extend to violations of privacy laws, including (where permitted under law) payment of fines. Some policies provide cyber-extortion expense coverage, which covers expenses in connection with an extortion threat to cause an actual interruption, suspension, or failure of the company's computer system, including the failure to prevent unauthorized access or unauthorized use of the computer system. Although not limited to cyber-risk situations, coverage also can be obtained for proactive costs incurred to avoid or minimize the potential impact of a "Reputational Threat" and for response costs to minimize the impact of a "Reputational Attack."
Cyberinsurance can be especially attractive to entities that utilize cloud computing. When entering into cloud computing contracts, customers typically have little leverage in negotiating data security issues and the ramifications of the provider's liability for breaches and failure to comply with privacy and other relevant laws. Cloud customers may not be able to contractually transfer the risk of data breaches to the provider. In fact, they may not even be permitted to conduct a forensic investigation of a breach affecting their own hosted data. Cyberinsurance that covers networks controlled by third parties may provide otherwise unavailable protection for cloud-dependent entities.
According to Ben Beeson, Partner and head of the global technology and privacy practice of insurance broker Lockton Companies, it is estimated that there are now sixty specialist insurers underwriting cyber-risks between the U.S. and the London insurance market. Gross written premium to date is thought to be approximately $800 million and to grow to $4 billion over the next few years. Because the policies currently on the market are varied in their scope and provisions, and the risks at issue and coverage provided may not be well understood across the board, prospective buyers should consider seeking out the advice of experienced professionals in order to select the right policy with the right coverages based on the needs of the potential insured.
Judy Selby is a partner at Baker Hostetler. Email: firstname.lastname@example.org.