Read time: 6 minutes
Cyber liability insurance helps protect businesses from financial losses caused by data and privacy breaches, including hacking, ransomware and other forms of malicious attacks and errors. As companies expand their online presence and employees continue to telecommute full-time or under hybrid working policies, it is often crucial for companies to insure against these risks. Cyber liability insurance is an emerging form of coverage, and policies still are not standardized, so companies looking to expand their coverage should consider asking the following questions when considering, placing or renewing cyber liability insurance to ensure that the policy is tailored to their business and meets their coverage expectations.
Which incidents and losses trigger coverage?
Ultimately, coverage should depend on the business needs of a policyholder. Thus, a key question is what the policy actually covers. Not all policyholders are created equally, and cyber liability policy forms also can vary significantly in scope.
When seeking to place cyber liability coverage, it is important to understand the scope of the coverage provided by the proposed policy. Most cyber liability policy forms include first-party coverage and third-party coverage. The first-party coverage responds to losses directly borne by the business, and generally includes coverage for (among other things) the costs of responding to and investigating a data or privacy breach, certain legal fees, cyber extortion (including ransomware) response costs, payments data restoration and business income loss. The scope of coverage for first-party losses can vary greatly from policy to policy. Third-party coverage responds to liability claims asserted against the company associated with a cyber liability incident, including investigations and actions by a governmental agency or a regulator. Companies seeking to place or renew cyber liability insurance should consult counsel to evaluate the sufficiency of the coverage and whether changes should be made to the policy (if feasible) or whether other options exist in the market.
Whose errors or breaches will the policy cover?
Cyber liability insurance typically covers malicious attacks committed by a third party. However, cyber liability risks also can arise from internal threats, such as intentional conduct by employees or other insiders, as well as unintentional errors or omissions. A policyholder should understand how the cyber liability policy responds to criminal or malicious acts by an external party and to employee activity (including acts by rogue employees) or errors or omissions committed by the company. In the event of malicious acts committed by employees, policyholders should determine whether those acts will be imputed to the company or other employees. A policyholder should also understand whether the policy will cover a vendor’s error – especially if the policyholder’s business tends to outsource sensitive information.
- Cyber-liability insurance is an emerging form of coverage and policies still are not standardized.
- To ensure that a policy meets their coverage expectations, companies will need to familiarize themselves with certain aspects concerning cyber liability insurance.