Cyber insurance can be an extremely valuable asset in an organization's strategy to address and mitigate cyber security, data privacy, and other risks. But selecting and negotiating the right insurance product can present a significant challenge given, among other things, the lack of standardized policy language and the fact that many “off the shelf” policies do not adequately match the organization's risk profile. The following five tips will help to facilitate a successful cyber policy placement.

#1. Get a Grasp on Risk Profile and Tolerance

A successful cyber placement is facilitated by having a thorough understanding of an organization's risk profile, including the scope and type of personally identifiable information and confidential corporate data maintained by the company and the manner in which (and by whom) such data is used, transmitted, and stored. A complete understanding of the risk profile also entails evaluation of the organization's IT infrastructure and practices and assessment of potential threats to the organization's (and its vendors') network security. An organization should also consider the pervasiveness and manner of use of unencrypted mobile and other portable devices. There are many other factors that may warrant consideration. An organization should also assess its potential exposure in the event of a data breach or network security incident. When an organization has a grasp on its risk profile, potential exposure, and risk tolerance, it is well positioned to consider the type and amount of insurance coverage that it needs in order to adequately respond to identified risks and exposure.

#2. Look at Existing Coverage

The United States District Court's recent October 7th decision in Hartford Casualty Insurance Company v. Corcino & Associates, 2013 WL 5687527, upholding coverage under a commercial general liability (CGL) policy for a data breach that compromised the confidential medical records of nearly 20,000 patients, underscores that there may be valuable privacy and data breach coverage under traditional insurance policies, including under the personal and advertising injury liability coverage (Coverage B) of a typical CGL policy. There may also be valuable coverage for data breach and network security liability and network security failures under an organization's commercial property, directors and officers (D&O), errors and omissions (E&O), professional liability, fiduciary, crime, and other coverages.

#3. Purchase Cyber Insurance As Needed

In response to decisions upholding coverage for data breach, privacy, network security, and other cyber risks, the insurance industry has added various limitations and exclusions purporting to cut off the traditional lines of coverage. By way of example, Insurance Services Office, Inc. (ISO) recently filed a number of data breach exclusionary endorsements for use with its standard form primary, excess, and umbrella CGL policies. These are to become effective in May 2014. By way of example, one of the endorsements, entitled Exclusion—Access Or Disclosure Of Confidential Or Personal Information And Data-Related Liability—Limited Bodily Injury Exception Not Included, (CG 21 07 05 14) adds the following exclusion to Coverage B:

This insurance does not apply to:

Access Or Disclosure Of Confidential Or Personal Information

“Personal and advertising injury” arising out of any access to or disclosure of any person's or organization's confidential or personal information, including patents, trade secrets, processing methods, customer lists, financial information, credit card information, health information or any other type of non-public information.

This exclusion applies even if damages are claimed for notification costs, credit monitoring expenses, forensic expenses, public relations expenses or any other loss, cost or expense incurred by you or others arising out of any access to or disclosure of any person's or organization's confidential or personal information.

Although the full reach of the new exclusions ultimately will be determined by judicial review, and it may take some time for the new (or similar) exclusions to make their way into CGL policies, the exclusions provide another reason for companies to carefully consider specialty cyber insurance products. Even where insurance policies do not contain the newer limitations or exclusions, insurers may argue that cyber risks are not covered under traditional policies.

As far as data breaches are concerned, cyber policies usually provide some form of privacy coverage. This coverage would typically provide defense and indemnity coverage for claims arising out of a data breach that actually or potentially compromises confidential personally identifiable information.

By way of example, the AIG Specialty Risk Protector® specimen policy, form 101014 November 2009 edition, states that the insurer will:

pay … all Loss

that the:

Insured is legally obligated to pay resulting from a Claim alleging … a Privacy Event.

Privacy Event includes:

(1) any failure to protect Confidential Information (whether by “phishing,” other social engineering technique or otherwise) including, without limitation, that which results in an identity theft or other wrongful emulation of the identity of an individual or corporation;

(2) failure to disclose an event referenced in Sub-paragraph (1) above in violation of any Security Breach Notice Law; or

(3) violation of any federal, state, foreign or local privacy statute alleged in connection with a Claim for compensatory damages, judgments, settlements, pre-judgment and post-judgment interest from Sub-paragraphs (1) or (2) above.

Confidential Information means any of the following in a Company's or Information Holder's care, custody and control or for which a Company or Information Holder is legally responsible:

(1) information from which an individual may be uniquely and reliably identified or contacted, including, without limitation, an individual's name, address, telephone number, social security number, account relationships, account numbers, account balances, account histories and passwords;

(2) information concerning an individual that would be considered “nonpublic personal information” within the meaning of Title V of the Gramm-Leach Bliley Act of 1999 (Public Law 106-102, 113 Stat. 1338) (as amended) and its implementing regulations;

(3) information concerning an individual that would be considered “protected health information” within Health Insurance Portability and Accountability Act of 1996 (as amended) and its implementing regulations;

(4) information used for authenticating customers for normal business transactions;

(5) any third party's trade secrets, data, designs, interpretations, forecasts, formulas, methods, practices, processes, records, reports or other item of information that is not available to the general public.

A policy offering the privacy coverage will often offer coverage for civil, administrative and regulatory investigations, fines, and penalties and, importantly, will commonly offer remediation coverage (sometimes termed crisis management or notification coverage) to address costs associated with a security breach, including:

â–ª costs associated with post-data breach notification

â–ª credit monitoring services

â–ª forensic investigation to determine cause and scope of a breach

â–ª public relations efforts and other crisis management expenses

â–ª legal services to determine an insured's indemnification rights where a third party's error or omission has caused the problem.

The sublimits typically associated with remediation coverage warrant careful attention.

Cyber insurance policies often offer other types of coverages, including:

â–ª network security coverage (often in the same coverage grant as the privacy coverage discussed above), which generally covers liability arising out of security threats to networks, including, for example, transmission of malicious code and DDoS attacks;

â–ª media liability coverage, which generally covers liability arising out, for example, infringement of copyright and other intellectual property rights and misappropriation of ideas or media content;

â–ª information asset coverage, which generally covers an insured for the cost of recreating, restoring or repairing the insured's own data or computer systems;

â–ª network interruption coverage, which generally covers an insured for its lost revenue due to network interruption or disruptions resulting from a DDoS attack, malicious code or other security threats to networks; and

â–ª extortion coverage, which generally covers an insured for the costs of responding to e-extortion threats to prevent a threatened cyber-attack.

In addition to the main coverages, insurers increasingly offer complimentary pre- and post-loss risk management services, which can be valuable in preventing as well as mitigating attacks.

#4. Spotlight The “Cloud”

Cyber risk is intensified by the trend in outsourcing of data handling, processing and/or storage to third party vendors, including “cloud” providers. The Ponemon Institute's 2011 Cost of Data Breach Study, published in March 2012, found that over 41 percent of U.S. data breaches are caused by third party errors, including “when protected data is in the hands of outsourcers, cloud providers and business partners.”

Many “off the shelf” cyber policies, however, purport to limit the scope of coverage to the insured's own acts and omissions (not the acts and omissions of third parties) and/or to network security threats to the insured's own network or computer system, not the networks/computer systems of third parties. This may result in illusory coverage. For example, the recent high profile attack on the New York Times homepage, during which users that tried to access www.nytimes.com were directed to a website apparently maintained by a group called the Syrian Electronic Army, may not be covered under many “off the shelf” policies because the attack was not on the New York Times system as defined in many policies, but rather on the system of a third party domain name registrar.

#5. Remember the Cyber Misnomer

Keep in mind that many data breaches are not electronic, they often result from non-electronic sources. Data privacy laws do not distinguish between a breach resulting from a network security failure or a breach on account of stolen paper records from a closet. Neither should a cyber insurance policy.

Although this type of coverage is commonly referred to as cyber insurance, a solid policy will cover non-electronic data, such as paper records. (See Richard S. Betterley, The Betterley Report, Cyber/Privacy Insurance Market Survey, June 2013). Likewise, a policy should also provide coverage for physical breaches resulting from, for example, the theft of a laptop or loss of a USB drive.

There are many other considerations and points to focus on. There is a dizzying array of cyber products on the marketplace, each with its own insurer-drafted terms and conditions, which vary dramatically from insurer to insurer, and even from policy to policy underwritten by the same insurer. Because of the nature of the product and the risks that it is intended to cover, successful placement requires the involvement and input, not only of a capable risk management department and a knowledgeable insurance broker, but also of in-house legal counsel and IT professionals, resources, and compliance personnel and experienced insurance coverage counsel.

Article of the Month

The Insurance Services Office (ISO) has developed an e-commerce program providing coverage for cyber risks. The policy providing this coverage is EC 00 10 11 09, Information Security Protection Policy. (Note that ISO is providing a newer form with an edition date of January 2014.)

The Information Security Protection Policy article discusses the insuring agreements, exclusions, conditions, and definitions in EC 00 10, along with endorsements that can be used to modify the policy.