Cyber Liability Insurance FAQ

This coverage protects a business or organization from:

• Liability claims involving the unauthorized release of information that the organization has a legal obligation to keep private.
• Liability claims alleging personal injury and/or intellectual property violations in a digital, online or social media environment.
• Liability claims claiming computer security failures that result in data deletion/alteration, transmission of malicious code, denial of service, etc.
• Defense costs in state or federal regulatory proceedings that involve violations of privacy law.
• The provision of expert resources and monetary reimbursement for out-of-pocket (first party) expenses associated with the appropriate handling of the types of incidents listed above.

In addition to electronic hacking or online activities, Cyber Liability Insurance provides coverage for private data and communications in many different formats (e.g., paper, digital).

It should extend beyond providing liability protection against the unauthorized release of personally identifiable information (PII), protected health information (PHI) and corporate confidential information, a feature commonly found in standard “data breach” policies. Privacy liability should provide true “privacy” protection in that the definition of privacy breach includes violations of a person’s right to privacy, privacy breach publicity and similar scenarios. Given that compromised information in every data breach may not align with state or federal definitions of PII or PHI, the policy should broaden coverage to address potential gaps that could become costly.

Protects insureds by offering coverage for legal defense costs and any resulting fines or penalties from a regulatory claim. It extends to allegations of privacy breaches or violations of privacy regulations stipulated in federal, state, local or foreign statutes or regulations.

This first-party coverage reimburses an insured for costs incurred in the event of a security breach of personal, confidential information of their customers or employees. Examples include:

• The hiring of a public relations consultant to help avert or mitigate damage to the insured’s brand.
• IT forensics, customer notification and first-party legal expenses to determine the insured’s obligations under applicable privacy regulations.
• Credit monitoring expenses for affected customers.

In instances where there is no legal duty to notify, but the insured believes notification will mitigate potential brand damage, the policy may extend coverage. Such voluntary notification requires prior written consent by the insurance company.

Provides coverage for the insured for “security wrongful act” allegations, including:

• The inability of a third party, who is authorized to do so, to gain access to the insured’s computer systems.
• The failure to prevent unauthorized access or use of a computer system, along with the failure to prevent false communications such as “phishing” that results in corruption, deletion or damage to electronic data, data theft and denial of service attacks against third-party websites or computer systems.
• Protects against liability associated with the insured’s failure to prevent malicious code transmission from their computer system to a third party’s computer system.

This agreement provides broad coverage against allegations including:

• Defamation
• Libels
• Slander
• Emotional distress
• Invasion of the right to privacy
• Copyright
• Other forms of intellectual property infringement (patent excluded) during the insured’s communication of media content in electronic (e.g., website, social media) or non-electronic forms.

This agreement provides coverage for expenses and payments to a harmful third party to avert potential damage threatened against the insured. This harm may include situations like the introduction of malicious code, system interruption, data corruption or destruction/dissemination of personal or confidential corporate information.

They provide for lost earnings and incurred expenses resulting from a security compromise causing computer system failure or disruption, or the inability of an authorized third party to access a computer system. Additionally, this coverage compasses the restoration costs to reinstate or recreate digital (not hardware) assets to their original state. It’s important to note that the definition of computer system extends beyond systems directly controlled by the insured and includes systems under the control of a contracted service provider responsible for storing or processing the insured’s digital assets.

The PCI-DSS was established in 2006 as a collaborative effort among major credit card brands. Its objective is to introduce standardized security best practices for the secure processing of credit card transactions. To achieve PCI Compliance, merchants and service providers must adhere to six stated goals and 12 requirements. A cyber policy can help offset the financial burden of covering the cost of damages and claim expenses that the insured is legally obligated to pay.

It offers payment for loss of funds resulting directly from funds transfer, payment or delivery from your account as the direct result of intentionally misleading your employee, through a misrepresentation of a material fact (deceptive transfer) which is:

• Relied upon by an employee.
• Sent via a telephone call, email, text, instant message, social media or any other electronic instruction (e.g., phishing, spear phishing, social engineering, pretexting, diversion).
• Sent by a person posing as an employee, customer, client or vendor.
• The authenticity of such transfer requests is verified in accordance with your internal procedures.

According to the IBM “Cost of a Data Breach Report,” the average cost for each lost or stolen record is $180, which is a 20% increase from the previous year. These expenses reflect both the indirect expenses associated with resolving a data breach (e.g., time, effort, other organizational), and direct expenses (e.g., customer notification, credit monitoring, forensics analysis, legal services). Considering the individual characteristics of each breach and the impact of the number of compromised records on the per-capita cost, it may be more suitable for small to mid-sized organizations to initially estimate a lower cost of $85/record. This is based on the average direct costs associated with a data bread as identified in the Ponemon study. By multiplying this number by the projected estimation of records containing PII, PHI or financial account information in the insured’s control, organizations can gain better insight into the financial advantages of adopting cyber insurance.

Unfortunately, the answer is no. While there have been limited instances where liability coverage for data breach and privacy claims has been found under General Liability, Commercial Crime and some D&O policies, these policies aren’t intended to adequately respond to the modern threats posed in today’s 24/7 information environment. Insurance carriers and ISO are actively updating their policy forms to include exclusions that clarify their intention not to cover these specific threats. Additionally, even in cases where coverage is found through other policies, they often lack the necessary expertise and essential first-party coverages needed to effectively mitigate the financial, operational and reputational damages a data breach can inflict on an organization.

Although there is currently no legal obligation for a business or organization to carry Cyber Liability insurance, there is a developing national trend where business contracts require proof of such coverage. The U.S. Securities and Exchange Commission (SEC) is also encouraging the disclosure of this coverage as a means of demonstrating effective management of security risks. Various laws (e.g., HIPAA-HITECH, Gramm-Leach-Bliley, state-specific data breach laws), perpetually demand notification following a data breach, making proper notification more expensive.

Regrettably, no organization is immune to cybersecurity threats. Small and medium enterprises (SMEs)account for 43% of all cyberattacks. Last year alone, small businesses encountered a staggering 424% increase in new cyber breaches.

Approximately 52% of data security breaches are attributed to human error and system failures. Experts highly recommend employing multifactor authentication (MFA) as a preventative measure. However, the deployment of MFA by SMEs is notably low at 18%, compared to large businesses (43%).

These figures indicate that the average financial impact of cyberattacks on organizations (losses and expenses), reached a total of $4.35 million in 2022. An IBM survey revealed a significant factor contributing to these elevating costs and found that most data breaches require an average of 277 days to identify and contain.