No single insurance policy can or will cover the swarm of difficulties and costs that arise after a large-scale cyber breach. Nevertheless, cyber insurance is vital, and other kinds of policies (such as kidnap, ransom and extortion coverage) may cover various stages of the breach response -- such as paying for forensic analysts and lawyers – but only if the policyholder understands them well. Understanding this list of 12 can be a first step to getting the most out of your policy in the event your entity is victimized by cybercrime.
Responding to an attack
1. Cyber insurance is vital. Cyberattacks are on the rise, and many property/business interruption policies do not cover the policyholder for system downtime due to cyberattacks.
2. Check your kidnap, ransom and extortion (KRE) policies. They may cover ransomware attacks (although it is becoming less the norm).
3. Cyber and KRE policies may cover the costs of independent forensic analysts, independent consultants, lawyers and others, either expressly or as loss mitigation. Importantly, many policies have pre-approved vendors and counsel that must be used, or require insurer consent before retaining any vendors or counsel.
4. Policies may cover publicity costs, particularly because reputational harm may be one of the largest damages to a corporation following a cyberattack.
“A steadily growing list of victimized companies have reported that other costs associated with an attack … [including] damage to company brand reputation … make the cost of the ransom look trivial. … According to the Tech Transformers, ransomware attacks cost smaller companies an average of $713,000 per incident, a combination of the expense of downtime and lost business due to reputational harm,” said James R. Slaby, an executive with cybersecurity firm Acronis. See “Understanding the true, hidden costs of ransomware attacks on the business: Paying the ransom is just the tip of the iceberg” on the company’s website.
5. Be aware of your coverage for notification costs. Your policy may or may not cover the costs of notifying those impacted by a data breach—even if those disclosures are required by law.
6. Check your retroactive dates. The average cyberattack takes 287 days from the day of the breach until detection. It is important to have coverage that pre-dates the inception of the policy to cover those events where the breach occurred prior to the start of the policy, but was not discovered until weeks or months later. See Josh Moore, “Top 10 List of Cybersecurity Facts for 2022”.
7. There are severe and various penalties related to the disclosure of personally identifiable information. If you are responsible for housing, or have access to, third parties’ personally identifiable information, you may need coverage in the event that data is compromised.
8. It is vital to properly vet the vendors you use, including those used for tech support. In 2022, the FBI reported a 137% increase in tech support fraud. See Josh Moore’s Top 10 story.
9. It is important to follow your carrier’s mitigation protocol (if one exists), to avoid the inadvertent destruction or alteration of evidence the carrier may need to investigate the claim. Consider running tabletop exercises, so that key personnel know the plan on how to respond to a cyberattack—even before the scenario arises.
10. Contractual liability exclusions may bar coverage. Be sure to review your policy language and ensure that your company is adequately protected—particularly from risks that may arise via contractual obligations and relationships. It also is important to ensure that you have the proper protections from third parties with which your company does business.
11. War, terrorism or act-of-foreign-enemy exclusions may exclude coverage. It is important to negotiate carve-outs to these exclusions to ensure that your policy covers cyberattacks that originated outside your country.
12. Carriers are rewording policies to limit coverage to “theft” of data, which could exclude coverage for data exposures caused by an employee’s negligence. Negligence is the cause of nearly one-third of cyberattacks, and it is important to work with your broker or coverage attorney to ensure that negligent disclosure of data will be covered.