Generally, however, cyberliability insurance can be grouped into two categories:
- First-party cyber insurance, which covers the policyholder’s own losses caused by a cyber incident; and
- Third-party cyber insurance, which covers the policyholder in connection with its potential liability for third-party damages and losses as a result of a cyber incident.
First-party cyber coverage. The critical consideration for an entity purchasing first-party cyber insurance is a full and in-depth understanding of the entity’s own IT systems, system networks, hardware, software and the potential vulnerabilities related to its IT systems. Once these are understood, policyholders should negotiate for policy terms that include coverage for all potential costs related to a cyber incident, such as costs associated with the investigation of the cause of a cyber incident, costs notifying those who have been impacted by a data breach, costs of providing credit or other information monitoring services for impacted individuals and the cost of paying ransom to extortionists holding systems or files hostage.
Policyholders also should negotiate for cyber insurance provisions that cover the costs to repair or restore software and data affected by a cyber incident, as well as the costs to replace or recreate such software and data in the event of a complete loss of such software and data.
Further, policyholders need to have a full and complete understanding of how their gross earnings could be impacted by a potential shutdown of their business due to a cyberattack.
Policyholders should consider cyber insurance policies that broadly cover the potential business income loss and extra expenses that may ensue from cyber incidents to their own systems, as well as the losses and expenses stemming from a cyberattack to a vital supplier or vendor.
Third-party cyber coverage. Third-party cyber insurance policies generally offer coverage for the policyholder’s “loss” – in the form of potential defense costs, settlements, judgments, fines and penalties – should a third party, including a governmental or regulatory entity, bring a “claim” in relation to a cyber incident within the policyholder’s systems. Critical terms such as “loss” and “claim” vary from policy to policy, and every policyholder needs to assess whether the policy’s definitions sufficiently cover its needs.
Some policies may include an exclusion for fines and penalties, and insurance companies frequently claim that payments made as a result of third-party lawsuits fall under the meaning of fines and penalties. Policyholders should negotiate and check their policies for more favorable language broadly stating that covered losses shall include fines and penalties imposed under a privacy statute such as the Health Insurance Portability and Accountability Act or any similar local, state or federal privacy statute or regulation. Atl. Specialty Ins. Co. v. Lexington Ins. Co., No. 2:21-cv-0616-BJR, 2022 U.S. Dist. LEXIS 208044, at *31-32 (W.D. Wash. Nov. 16, 2022) (applying Washington law) (broadly interpreting policy language like the above in favor of the policyholder).
Coverage under “traditional,” non-cyber-specific policies. Aside from cyber-specific liability policies, some commercial general liability (CGL) policies may offer third-party liability coverage for cyber incidents. For example, CGL policies commonly cover “personal and advertising injury” and may define that term to include injury arising out of the written publication of material that violates a person’s right of privacy. Where third parties have sued policyholders in connection with data breaches, multiple courts have found that those third-party lawsuits trigger the coverage for “personal and advertising injury” in the policyholder’s CGL policies. See Landry’s, Inc. v. The Ins. Co. of Pa., 4 F.4th 366, 371-72 (5th Cir. 2021) (applying Texas law); Atl. Specialty Ins. Co., 2022 U.S. Dist. LEXIS 208044, at *16.
As another example of potential coverage for cyber incidents under traditional, non-cyber-specific policies, courts have found that data breaches and power outages resulting in damage to policyholders’ networks and computer systems may qualify as property damage under property and business interruption policies. See, e.g., Se. Mental Health Ctr., Inc. v. Pac. Ins. Co., 439 F. Supp. 2d 831, 837 (W.D. Tenn. 2006) (applying Tennessee law) (“The Court finds that the corruption of the pharmacy computer constitutes ‘direct physical loss of or damage to property’ under the business interruption policy.”); NMS Servs. Inc. v. The Hartford, 62 F. App’x 511, 514 (4th Cir. 2003) (“There is no question that NMS suffered damage to its property, specifically, damage to the computers it owned [more specifically, erasure of computer files and databases], and this Court has already concluded that the damage constitutes a covered cause of loss.”); Lambrecht & Assocs. v. State Farm Lloyds, 119 S.W.3d 16, 26 (Tex. App. 2003) (finding that electronic media and records and the data stored on such media was “capable of sustaining a ‘physical’ loss”); Am. Guar. & Liab. Ins. Co. v. Ingram Micro, Inc., No. 99-185, 2000 U.S. Dist. LEXIS 7299, at *6 (D. Ariz. 2000) (“The Court finds that ‘physical damage’ is not restricted to the physical destruction or harm of computer circuitry but includes loss of access, loss of use, and loss of functionality.”).
Cyber, CGL and other policies often contain territorial conditions and limitations. For example, policy language may limit coverage to occurrences that take place within specific countries, such as the United States. Because cyber incidents frequently originate from outside the United States, policyholders should be aware of this language and should negotiate to eliminate or narrow any territorial limitations in their cyber policies. Otherwise, they might be faced with an insurance company that tries to assert that a cyber incident originated from a foreign IP address and that therefore, the policyholder has not met a condition entitling it to coverage. See Quality Plus Servs. v. Nat’l Union Fire Ins. Co., No. 3:18cv454, 2020 U.S. Dist. LEXIS 7337, at *49 (E.D. Va. Jan. 15, 2020) (applying Virginia law) (noting that it was a question of fact whether the fraudulent email instructions originated from Nigeria for purposes of construing a territory condition).
While courts have taken divergent approaches to addressing insurance coverage for a variety of cyber-related losses in recent years, the above sampling of cases illustrates how certain policy terms and conditions may become relevant to cyber coverage disputes and how negotiating for broader policy language can ensure the removal of at least some obstacles to coverage.