By: Summer Frederick
Cybersecurity insurance, a/k/a “cyber” insurance, used to be a coverage that overly cautious businesses bought “just in case,” as a means of risk transfer. It was not a critical product purchased by most companies, however, because there was no widely accepted need. The continued evolution of cyberattacks has changed this perception to some degree.
Cyber insurance now is considerably more common, although most businesses do not purchase it until after they have suffered a breach or other loss. The industry has no standard policy form, so policy definitions, insuring agreements, conditions, and exclusions differ between policies. A side-by-side comparison of policies is challenging at best. The wide variability of cyber insurance policy forms makes it a complex and confusing product even for insurance professionals and attorneys. Also, underwriters lack historical loss data for purposes of underwriting and rating, which further compounds issues of whether an insured has purchased appropriate coverage and whether coverage exists following a loss.
What Does Cyber Insurance Cover?
As a general proposition, policies may contain both first-party and third-party coverage parts.[1] Third-party coverage protects against losses for which a business may be responsible because of a breach of client data, usually due to either a mistake or an oversight. Coverages may include:
First-party coverage protects businesses against their own financial loss resulting from data breaches or cyberattacks. Data breaches or cyberattacks could include malicious or accidental destruction of data, or loss or damage of data by a computer virus or malware. Coverages may include:
What Are The Potential Gaps?
It appears that cyber insurance covers a lot, and it does. But the potential exists for significant gaps, wherein a particular policy’s terms and conditions simply do not afford coverage. Also, remote work during the pandemic created a huge uptick in cyber claims. At this juncture, what cyber insurance does not cover and the claims for which carriers are dropping coverage may be surprising. Following are two examples.
Social Engineering. Many businesses purchase cyber insurance with the threat of social engineering in mind. Social engineering occurs when malicious actors trick company employees or executives into providing credentials, transferring funds, or making purchases. Tricks may involve impersonating an authoritative figure or legitimate user like a manager, posing as a third-party vendor or supplier, phishing, and dumpster diving.
Losses caused by social engineering can be significant, but may or may not be covered. Transfers of money, or provision of credentials, are actions undertaken voluntarily. Many policies contain some variation of exclusion for “voluntary parting.” As a result, loss may be excluded.[2] If a policy explicitly affords coverage for social engineering, it is usually sub-limited. The low sub-limit may be grossly insufficient to cover a loss.
Ransomware Attacks. Ransomware is designed to infiltrate computer systems and deny legitimate users or organizations access. Cybercriminals then demand payment in exchange for a decryption key. Some variations exist, such as a threat of data theft as further incentive to pay a ransom.
But, if an organization pays a ransom, it may not be covered. This is because a ransomware attack may not be a true data breach as defined by the policy’s terms and conditions. A particular policy may define “loss,” “damage,” or “physical damage” in such a way that they do not include payment of ransom.
Also, as more employees were forced to work remotely during the Covid-19 pandemic, insurers saw a major surge in ransomware attack claims. This trend has caused insurers to question whether payout of these claims simply drives up the cost of ransoms. That is, does coverage for ransomware attacks hurt more than it helps? To this end, carriers have begun to explicitly exclude ransom payments.
Takeaways
Cyberattacks will not go away anytime soon. Threats will continue to grow and evolve, creating a corresponding need for cyber insurance. In the coming years, we can expect to see this product more widely used, generating important historical loss data that is useful to insurers in relation to underwriting and rating. Yet increased claims frequency and severity means that rates will be higher for less coverage, as carriers decide whether to assume risks and what risks are acceptable.
At the end of the day, cyber insurance is a valuable product that may greatly assist businesses with liability for cyber breaches and financial loss. But insurance is not a substitute for education and training, effective risk mitigation strategies, and diligence.
[1] In the absence of a standard industry policy form, a particular policy may contain only some of these coverages but not others. For example, a policy may provide network security and multimedia coverage but no first-party coverage.
[2] Since there is no standard policy form, it is not possible to conclude that all losses caused by social engineering are excluded by “voluntary parting” exclusions. In an opinion issued last month, the Fifth Court of Appeals at Dallas concluded that the “voluntary parting” exclusion in a cyber insurance policy did not apply because it conflicted with other policy conditions. See Central Mutual Insurance Company v. Reliance Property Management, Inc., No. 5:22-00071-cv, 2022 WL 1657031 (Tex. App.—Dallas May 25, 2022, no pet. h.). Whether coverage exists for social engineering must be evaluated on a case-by-case basis using the particular form at issue. Coverage counsel may offer a tremendous value with respect to policy interpretation.