Just as cyber threats are continually evolving, so are cyber liability insurance policies. With data breaches a common occurrence, many companies are focusing on their IT systems, but tend to overlook the insurance aspects. When preparing for and responding to a cyber event, having comprehensive insurance coverage is critical. Personnel responsible for detecting, reporting and responding to cyber events and privacy violations should also have a thorough understanding of the coverages provided under their cyber policies and how those policies are triggered, well before an incident occurs.
The Evolution Begins
In the past, companies and businesses have sought coverage under traditional types of policies, such as property or commercial general liability (CGL) policies. However, there has been extensive litigation over when and in what circumstances a CGL policy covers a data breach claim. Beginning in 2001, CGL policies began excluding “electronic data” from coverage, and in 2014 additional exclusions emerged in CGL policies that were designed to eliminate coverage for cyber-related damages.
About 25 years ago, technology companies bought errors and omissions (E&O) insurance with the Y2K threat. Over time, E&O policies were extended to include unauthorized access to a client system, destruction of data or a virus impacting a customer’s system. The technology coverage, often called “network security” or “Internet liability,” was an add-on to the existing policy. Five to 10 years ago, these “network security” policies expanded into the privacy space by providing clear coverage for breaches of confidential information. Once coverage expanded, financial institutions, retailers and other companies holding considerable consumer data, but who were not providing the type of technology services that would warrant buying E&O insurance, took notice and began looking into stand-alone policies.
Lots of Jargon, But Four Common Components
The term “cyber” coverage can vary with companies and groups. Generally, cyber liability insurance covers financial losses that result from data breaches and other cyber events. Many policies include first-party, third-party or both coverages. First-party coverages apply to losses sustained by the company directly. First-party coverages are often subject to a deductible. Third-party coverages apply to claims against the company by people who have been injured as a result of the company's actions or inactions. Virtually all cyber liability policies are claims-made.
Although various insurance companies use different names and terminologies, cyber coverage insurance is some combination of basically four components: E&O, media liability, network security and privacy. These categories are sometimes conflated or further divided into other subparts.
As noted above, E&O covers claims arising from errors in the performance of services, which can include technology services such as software consulting or more traditional professional services such as attorneys, medical personnel and financial planners. This is a first-party claim.
Media liability is a third-party claim pertaining to advertising injury such as infringement of domain name, intellectual property, copyright/trademark infringement and defamation, libel and slander. Due to the presence of businesses on the Internet, companies have seen this coverage migrate from their general liability policy to being bundled into a media component in a cyber policy or even a separate media liability policy.
Network security is both a first- and third-party claim. A failure of network security can lead to many different exposures, including a consumer data breach, destruction of data, virus transmission and cyber extortion. Network security coverage can also apply to trade secrets or improper access to information contained in patent applications.
Privacy is also a first- and third-party claim. It includes the wrongful collection of personally identifiable information (PII), which usually pertains to medical, health and financial records. PII is defined in some regulations/statutes but there is not a standardized definition, especially in the United States, so insurers may specifically define PII depending on the company's business model.
Cyber coverage includes some of the following first-party costs when a security failure or data breach occurs: