As of late, data breaches have catapulted cyber insurance to the fastest growing type of coverage for U.S. companies to purchase. In fact, according to Fitch Ratings, the market for cyber insurance grew 35 percent in 2016, with total premiums up to $1.35 billion, and Allied Market Research predicts that the global market may reach $14 billion by 2022.
Sean Hyatt, counsel at Alston & Bird’s insurance litigation and regulation team, advises organizations to seriously evaluate the need for cyber security coverage if they are not already doing so. “No organization is immune from the threat of a data breach, and other types of insurance policies will generally not provide the coverage needed,” he told Inside Counsel in a recent interview.
The growth in this market is likely due to several factors. According to Hyatt, organizations will continue to be more concerned with data security risks, mainly because of numerous well-publicized and expensive data breaches. Certain businesses could face regulatory scrutiny of security practices, including whether cyber insurance is in place. Other types of insurance policies will generally not provide the coverage needed and in fact often specifically exclude data breach coverage.
It is important to seriously evaluate the need for cybersecurity insurance by carefully analyzing key cybersecurity risks and whether they have any insurance in place for those risks.
“Companies should ask, for example, whether they hold personally identifiable information or other confidential information, and consider liability that could arise from unauthorized access to such information,” explained Hyatt. “Another risk might be liability to customers or others if the company’s system shuts down. Absent existing coverage for these and other risks, the company should consider purchasing cyber insurance. We recommend consultation with counsel and a broker experienced in this area.”
When it comes to the extent of coverage offered by cyber insurance carriers, there are some frequently asked questions, per Hyatt. He is most often asked about the types of coverages available—although different insurers’ forms vary significantly, cyber insurance policies typically cover certain first party expenses resulting from a cybersecurity breach or incident. For instance, he sees coverage for the insured’s expenses for the following: engaging counsel to advise and help respond to an incident, hiring a forensic investigation firm, sending privacy notifications to consumers, operating a call center, offering credit monitoring, hiring a PR firm, business interruption losses, data restoration, and cyber extortion.
So what are practical considerations in evaluating cyber insurance policies? According to Hyatt, it is important to consider the risks an organization faces and review the cyber policy forms under consideration to determine whether those risks are clearly covered. The different insurers’ forms vary and can often be tailored to fit the insured’s needs. So, a company should evaluate the amount of the limits needed, and any exclusions that could limit the desired coverage.
“For example, if the company accepts credit or debit cards, the company may want to ask the following questions: Is compliance with PCI Data Security Standards covered? Are card brand assessments covered? Would there be any contractual liability, fines and penalties, or other exclusions that could limit such coverage?” he said. And if the company holds other types of personally identifiable information or other confidential information, the company will probably want to ensure, to the extent possible, that the policy covers unauthorized access to that information, whether in electronic or hard copy form. The company might also consider whether the policy covers unauthorized access to employee devices and vendor computer systems.
Hyatt added, “We recommend starting the process early and ensuring that the right people are involved to accurately and completely answer the application questions.”
Amanda G. Ciccatelli is a Freelance Journalist for Corporate Counsel and InsideCounsel, where she covers intellectual property, legal technology, patent litigation, cybersecurity, innovation, and more.