Understanding the Complexity of Today’s Cybersecurity Insurance

Berkshire Hathaway recently announced that it was getting into the cybersecurity insurance business, offering two new types of policies – cyber liability and breach response coverage. These policies cover everything from incident response expenses to regulatory fines to losses resulting from business disruption. The company views cybersecurity as a business necessity and believes companies have not done enough to insure themselves against the inevitable breach.

Recent events and trends would suggest that Berkshire Hathaway’s position is correct. Breaches involving major brands and government agencies continue to make headlines on a regular basis, and demand for cybersecurity insurance is on the rise across all industries. In fact, according to BITS, the technology policy division of the Financial Services Roundtable, demand increased 21 percent in 2014.

Cybersecurity insurance can provide valuable protection when a security breach occurs. However, many companies are confused about what their policies cover and don’t cover. Cybersecurity insurance has come a long way since companies first started buying errors and omissions (E&O) policies about 20 years ago to cover service issues and data loss caused by viruses and small-time hackers. Generally speaking, cybersecurity insurance covers the investigation, notification and remediation of a breach, as well as crisis management and resulting lawsuits.

While cybersecurity insurance still covers E&O-related claims, it has expanded over the years to include media liability, network security and privacy liability. Media liability covers lawsuits stemming from information or services provided through a company website, advertising or other electronic means. This can include libel, slander, or infringement of intellectual property, copyrights and trademarks. The network security component applies to the costs of downtime and compromised company or customer data caused by a breach. The privacy coverage doesn’t necessarily have to involve a data breach. For example, a breach can be caused by a lost device, wrongful collection of data, and other human and technical errors. Network security and privacy liability often cover both first-party costs and third-party liabilities.

It is important to realize that cybersecurity insurance does not absolve an organization of carefully planning to prevent and effectively respond to a breach. Insurance is simply a form of risk management in which a portion of the financial risk is shifted to the insurance company. Certain costs will be covered, but the organization still has to deal with the fallout of the breach. Have all affected parties been notified? How have your customers and business relationships been impacted? Assuming data has been backed up, how will that data be recovered? How long will it take to resume normal business operations? Cybersecurity insurance policies do not answer these questions.

There are number of factors to consider and questions to ask when buying cybersecurity insurance. Organizations must understand the costs of a breach, such as downtime and incident response, determine what costs and what types of incidents need to be covered, and ensure that the coverage is adequate. This may require flexibility on the part of the insurance carrier. All insurance policies have thresholds, exclusions, definitions and other fine print. These policies must be read carefully to ensure that the language or wording does not create a loophole that might void the coverage or enable an insurance provider to deny a claim.

Don’t make the mistake of simply buying a cookie-cutter cybersecurity insurance policy from the first insurance representative you meet, and then dismissing the issue of cybersecurity by saying, “We have insurance for that.” The costs are far too great to take lightly. Organizations can minimize risk by having their policies reviewed by an attorney who has experience in business, technology and data breach law.