While cyber insurance has become increasingly popular over the past several years, many companies still lack this protection. Companies without cyber coverage might look to their “traditional” policies, like general liability or crime, but coverage for cyber risks under those policies can be limited. This guest article by Lowenstein Sandler attorneys Eric Jesse and Jason Meyers reviews recent case law on the limits of general policies and discusses how understanding – and negotiating – the scope of cyber coverage is critical to maximizing the benefits that cyber insurance provides. See “Choosing Cybersecurity Insurance in a New Risk Environment” (Nov. 6, 2019).
What Cyber Insurance Covers
Standalone cyber policies generally provide a hybrid of “first-party” and “third-party” coverages. The first-party coverage insures loss that insureds suffer because of a cyber incident. It generally includes the following:
- Breach Response Costs. When a data breach occurs, this coverage typically insures legal fees the insured incurs to understand its notification obligations; computer forensic costs to investigate the scope of the breach; and costs for notification to affected individuals, credit/identity theft monitoring and call service centers.
- Business Interruption. This coverage insures against lost profits and extra expenses (beyond usual business expenses) that a company incurs if a system failure impairs the company’s ability to operate. Some policies also offer contingent business interruption coverage when the insured cannot operate because a vendor has suffered a cyberattack.
- Cyber Extortion/Ransomware. This coverage applies when a cybercriminal hacks into the company’s computer system and threatens to damage data, introduce a virus or shut down access to the network unless a ransom is paid.
- Cyber Crime. Cyber policies may offer cyber-related crime coverage such as: (i) computer fraud (a criminal using computers to steal money); (ii) funds transfer fraud (a criminal tricking a bank into transferring funds from the insured’s account); and (iii) social engineering (a criminal tricking the insured’s employee into transferring money).
- Data Restoration. Policies with this coverage generally cover the costs to restore or replace lost or damaged data or software because of a cyber incident.