Authors: Attorney John C. Mitby & Law Clerk Elizabeth L. Spencer
According to the Insurance Information Institute, cyber incidents have become the third largest risk to businesses worldwide, leading many businesses to seek out insurance protection against cyber risks. PricewaterhouseCoopers estimates that annual gross written premiums for cybersecurity insurance are set to grow from around $2.5 billion today up to $7.5 billion by the end of the decade. Even though cybersecurity insurance is becoming more popular both insurers and those seeking protection face numerous challenges in this growing area.
First, traditional commercial general liability and property insurance policies typically exclude cyber risks from their terms. Insurance companies often offer standalone cybersecurity insurance to mitigate the potential results of a cyber breaches. Cybersecurity insurance covers areas of liability not covered by traditional policies, and may include costs arising from data destruction or theft, extortion demands, hacking, identify theft, denial of service attacks, and crisis management activities related to breaches. While these policies have numerous advantages they are often very costly and may not cover all potential risks.
Second, cyber risks have been difficult for insurance companies to quantify due to the lack of actuarial data. Insurers have often compensated for a lack of data by relying on qualitative assessments of the applicants. These assessments include examining the business operation, the number of customers, its scope, network security policies, network security procedures, web presence, and the type of data collected and stored. This information, typically disclosed in the application, will then become part of the terms of the coverage with any false statements voiding the contract. Thus, the policies are often more customized making them ultimately more costly. Additionally, this customization results in a standardization problem that extends not only to differences between individual policies but a lack of uniformity of coverage offered by the major insurers.
The harms resulting from cyber risks also present a challenge because they can be difficult to detect and may go undiscovered for years. When a breach goes undetected for an extended period of time there can be an accumulation and compounding of losses. Further, this delay is a challenge in the context of determining when the policy has been triggered. Individuals often do not know that their information has been breached until a company notifies them, meaning that only after an organization notifies its customers of a breach does it receive an actual complaint constituting a claim that triggers the policy. The costs incurred by the company to notify customers of the data breach may not be covered as the insurer may say those costs were incurred before coverage was triggered. These costs can be substantial and could lead to disputes between insurers and the insured.
Finally, the changing nature of cyber risks and threats will continually present new challenges to the insurance industry and its customers. Insurers must remain active in offering policies that cover potential business threats while business owners will need to be actively updating their own organization’s security policies. The frequently changing nature of the threat will continue to make it difficult for insurers to offer standardized polices across the industry.
Despite challenges and areas that need to be worked out, business owners should consider getting cybersecurity coverage. Taking a proactive approach to cybersecurity can help set customers’ concerns about potential breaches of their confidential materials at bay and can help mitigate the consequences of any threats or breaches. Before completing an application for coverage and signing an agreement, a business should consider having it reviewed by both their IT department or consultant and their attorney.