Posted by Shelley Glazer and Brandon King
Cyber attacks are on the rise; this is especially the case during the COVID-19 pandemic. And the stakes are high; Target’s 2013 data breach, for example, gave rise to $248 million in remediation expenses. Of course, Target’s breach isn’t an isolated incident, just ask Sony, Home Depot, Yahoo!, and the World Health Organization. See WHO reports fivefold increase in cyber attacks, urges vigilance, World Health Organization (“Since the start of the COVID-19 pandemic, WHO has seen a dramatic increase in the number of cyber attacks directed at its staff, and email scams targeting the public at large.”).
So, are you covered by insurance? CGL policies generally don’t cover damages arising from cyber attacks and related data breaches; those policies usually cover damage to tangible property, not intangible property, like electronic data. In fact, recent CGL policies contain exclusions for loss of or damage to electronic data. Business-interruption and E&O policies may provide coverage, and the same is true of commercial-crime policies. Of course, whether any particular policy provides coverage in the event of a cyber attack turns on the policy’s language. However, given the trend towards cyber-specific policies, coverage under traditional policies is becoming less common. See Jes Alexander, Anatomy of a Data Breach—What Cyber Policies Should Cover, 13 J. Tex. Ins. L. 5 (2015) (“Those companies that rely solely upon CGL or other general policies do so at great peril.”). Companies should, as a matter of prudence, engage counsel to ascertain whether and to what extent they are covered in the event of a data breach.
When evaluating a cyber-insurance policy, companies should pay particular attention to whether the policy’s coverage is first party, third party, or both. First-party coverage will deal with the insured’s own losses resulting from a cyber attack, while third-party coverage concerns the insured’s liability to others resulting from breach or cyber event. Given the complex nature of cyber breaches and the often sensitive nature of information at issue, companies should ensure their policies contain both coverage sections (and this is usually the case).
Additionally, many companies confident in the strength of their cybersecurity infrastructure might be unaware that an increasing number of cyber attacks are aimed at third-party vendors. For this reason, companies should engage in a thorough vetting of any particular vendor’s cybersecurity practices, consult with counsel to strength indemnity resulting from a vendor breach and, most importantly, ensure that both the company’s and the vendor’s insurance policies cover losses stemming from a cyber attack.
There are a variety of cyber-related coverages to choose from; some are broad, cyber-liability polices—which address harm resulting from cyber activities (e.g., unauthorized disclosure of private information), as well as cyber infringement, injury or damage to information systems, notification expenses, e-theft, and cyber extortion. Then there’s event-management or breach-remediation coverage, which may cover costs related to managing a data breach (sometimes including a breach of a cloud service or other third party storing your data), such as costs associated with providing notification to compromised individuals, restoring lost data, and hiring legal counsel, public-relations consultants and forensic investigators. Crime-specific policies are also helpful, as they provide coverage for a variety of theft-based cybercrimes that may not be covered by your cyber policy. And what about business-interruption losses caused by a hacker-driven network failure (which would probably not be covered in your typical business-interruption policy)? Consider network-interruption coverage, which covers losses stemming from disruption of business activities caused by cybercriminals; this is often the case with distributed denial-of-service (DDoS) attacks. In sum, there exist myriad coverage options for those looking to ensure protection in the event of a cyber attack.
The current increase in work-from-home practices poses even greater risks of cyber-related breaches. See Danny Palmer, Cybersecurity: Half of employees admit they are cutting corners when working from home, ZDNet, (May 28, 2020 6:41 PM). So, now is the time for companies to consult with their counsel to reevaluate existing policies to determine the extent of coverage arising from a cyber-related event. If they do not have coverage, companies should strongly consider acquiring a cyber-insurance policy.
Comments