In this part of the blog series on the connection between cybersecurity and insurance, we move into the adoption of cybersecurity insurance and what is typically covered by these policies.
Beginnings: the need to distinguish between digital and physical property
Cybersecurity insurance is a new product concept.
It came to life in the late 1990s, when IT services provider Ingram Micro had a software database destroyed by physical damage. Ingram attempted to have the loss covered under their property insurance policy.
In their mind, this was appropriate because to them, a piece of software or database was considered property. The distinction that raised concern for the insurer was that property insurance historically covered tangible assets, like a building. So, for example if a building would be destroyed by a fire, business continuity would be prevented, resulting in a loss of revenue. The insurer contested that a database was not physical property but something that held digital information, which was not tangible. Ingram asked to show in the policy where there’s a requirement of the property to be tangible. The insurer agreed that it wasn’t distinctly specified in the policy and paid the claim.
Traditional Policies begin to Inject Cybersecurity Exclusions
The insurer didn’t want to be fooled twice.
After the Ingram Micro incident, insurers began stipulating that the only certain and very particular types of covered property in the policy were considered tangible.
New policies began emerging specific to cybersecurity risk. The Ingram Micro case is often considered an important milestone in the evolution of cybersecurity insurance, creating a necessary product demand.
Mainstream Adoption of Cybersecurity Insurance
The California Online Privacy Protection Act of 2003 (CalOPPA)
Mainstream adoption of cybersecurity insurance began taking off in 2003 with California becoming the first state to pass regulation for online privacy. The owner of a website could be faulted for their negligence, possibly even consciously over their inability to comply with the act, which ultimately would result in charges filed for noncompliance.
The notion of PII and the importance of protecting it came into the public sphere. But it’s more than just data being breached. The consequences of cyber-attacks have expanded to many of other types of loss and the cybersecurity insurance market rapidly grew with over two hundred carriers.
Cybersecurity Insurance Coverages
- Broad coverage for failure to protect data
- The loss may stem from your inability to protect your data or network. The claiming third parties can include customers, consumers, or someone you may not even have a business relationship with
- Vicarious liability coverage for vendors
- This creates a very important risk to consider, since you can do everything right and still suffer massive losses, resulting from a cyber event. There is coverage in a cyber insurance policy to help defend when such third parties are alleging, they suffered some sort of financial loss. This can rapidly grow to include the cost of resources, the inability to generate revenue, and regulatory penalties and fines they may incur
- Regulatory fines & penalties
- Regulators will want to know what happened and if you did everything right. In particular, it can be about having a strong cyber risk management platform and performing the necessary assessments to determine cyber posture and identifying gaps for improvement.
- Civil & Class Action Defense
- This also may cover legal fees. Significant defense costs may be associated with defending an organization
- “Other Insurance” clause may make professional liability policy primary
- Preserves Errors & Omissions policy limits for professional liability claims rather than data breaches
- Cyber policies generally have lower deductibles
- “Primary/noncontributory” language is being added to some cyber policies to avoid coverage disputes
Financial Impacts: Affect Revenue and Expenses
Several years ago, cybersecurity insurance was not required as part of a business contract.
Now it is often stipulated as an obligation to do business. Approaching from this angle, companies have often purchased insurance limit amounts based solely on their budget or the minimum requirements of a contract. However, this is not a prudent course of action if one truly wants to minimize their exposure from a cyber event.
As we listed above a cyber event can cause many different types of losses. Some of them may be deceptively expensive. For example, in a recent breach of a health care provider, the entire limit was exhausted on stamps (Notification). Every single customer who had their PII breached had to receive a snail mail letter about the vent (as required by the CCPA).
The general trend in 2019-2020 has shown companies realizing that they should purchase a higher limit. If once a $100 million dollar policy was the norm, we are now seeing companies buying $250-500 million-dollar policies.
Cyber Insurance Policies Can be Retroactive
You can purchase cyber insurance for a number of years and be covered for an event that happened several years before the policy period you are currently in.
This is a very important consideration because many times, an event may have happened much earlier than it was discovered.
Cyber Insurance is not a Silver Bullet
As with any insurance policy, there are going to be things that are naturally not covered or excluded.
In the next few blogs, we will explain the limitations of a stand-alone cybersecurity insurance policy. More importantly, we will discuss the importance of looking at the broader insurance portfolio. Cyber is now a type of risk that has consequences in all types of coverages. This presents great complexity in understanding how much exposure your organization truly has. Fortunately, we will now show how to build that bridge to connect cyber risk and insurance coverage.
If you’d like to learn more about how you can discover possible clauses and exclusions within your insurance policies, please feel free to reach out to us.