The costs of cyber breaches: is your business adequately insured?
December 2013 | SPOTLIGHT | RISK MANAGEMENT
Financier Worldwide Magazine
Cyber breaches have increased significantly over the last six years, more than doubling since 2006, and this trend is likely to continue. As cyber threats become more diversified and prominent, companies continue to face additional risk. This article explores the various costs and exposures associated with cyber breaches and the insurance coverage issues with respect thereto, including the possible implication of general liability (GL), directors & officers (D&O), and errors & omissions (E&O) insurance policies, as well as the developing cyber liability policies.
Costs and exposures
In an August 2013 study by the Ponemon Institute LLC,the average financial impact of a data breach to a company is $9.4m dollars, which includes the direct costs to resolve the data breach (including notification services and legal fees and indirect costs such as lost productivity, decreased revenues, legal actions, lost customers, and reputational damages). This financial impact is not expected to decrease. In fact, the average financial impact is expected to increase to approximately $163m over the next two years, according to the same study.
Regulatory obligations with respect to data breaches are also increasing. On the state level, both Vermont and North Dakota have recently amended their data breach notification laws to expand reporting requirements and to protect additional types of medical and health insurance information, respectively. In 2011, the Securities and Exchange Commission (SEC) issued guidance regarding a company’s disclosure of cyber risks and incidents. Thus, after suffering a cyber breach, the SEC may determine that a company’s previously issued disclosure statement was inadequate or misleading, leading the SEC to commence an investigation or lawsuit. Additionally, the Federal Trade Commission (FTC) uses 15 U.S.C. § 45, which prohibits unfair or deceptive practices affecting commerce, to seek monetary penalties from companies that have engaged in unfair practices by misrepresenting their cyber security measures to the public. The FTC also recently implemented the Red Flags Rule, 16 CFR 681, which requires the board of directors of a company to develop and implement a plan to identify and react to cyber threats, and can issue a $1000 fine for each instance of non-compliance.
Civil lawsuits, an indirect cost of a cyber breach, may include individual or class actions alleging damages for invasion of privacy, negligence, breach of contract, or misappropriation of intellectual property, among other things. Directors and officers of public companies also face a threat of shareholder derivative actions predicated on an alleged breach of fiduciary duty in failing to employ proper cyber security measures. Shareholder class actions may also result from a cyber security breach, based on the company’s alleged insufficient or misleading disclosures regarding cyber risks.
Insurance coverage issues
When faced with these significant exposures as a result of a cyber breach, insurance coverage may or may not be available to a company based on the specific policy language and the nature of the claims asserted as a result of the breach. In fact, depending on the nature of the claim, coverage might be available under different policies. While GL, D&O, and E&O policies may provide some coverage for cyber breach depending on the specific claims asserted, such coverage is often limited. New specialised cyber liability policies should provide a clearer picture of the risks covered.
As evidenced by ongoing litigation instituted by Zurich American Insurance Company against Sony Corp. with respect to a data breach in 2011, coverage for cyber breach claims under GL policies are hotly contested. With respect to GL policies, companies have sought coverage for cyber breaches under both ‘property damage’ and ‘personal and advertising injury’ coverage. Coverage for ‘property damage’ is largely unavailable for cyber breaches, as ‘property damage’ coverage is only available for claims arising out of damage to ‘tangible property’. Generally, GL policies contain exclusions or definitions which remove electronic data from the definition of ‘tangible property’. Alternatively, coverage is often sought under the ‘personal and advertising injury’ coverage of GL policies, with respect to claims for invasion of privacy related to a data breach. Depending on the jurisdiction, lawsuits alleging violations of privacy may not be covered because the publication was either not sufficiently widespread to constitute ‘publication’ or the information breached was not sufficiently ‘private’.
D&O policies may provide coverage for certain claims arising out of a cyber breach. Coverage is typically afforded to directors and officers for claims alleging breach of fiduciary duty, negligence or lack of supervision in connection with a cyber security incident. As a result, a D&O policy would usually provide coverage for shareholder derivative lawsuits and shareholder securities lawsuits arising out of a cyber breach. However, depending on the exclusions contained within the policy, such as a regulatory exclusion, coverage may not be afforded for the SEC and FTC regulatory investigations discussed above.
Additionally, coverage is generally not afforded for liability arising from a cyber breach under E&O policies, unless the company’s services have a close nexus with cyber data. E&O policies insure against loss resulting from a claim for wrongful acts committed in the rendering of professional services. In most instances, this will not include claims arising from cyber breaches, as most professional services would not have a sufficiently close nexus to cyber data. As recognised in a recent decision by the Eighth Circuit Court of Appeals, however, a duty to defend under an E&O policy may be triggered where the insured’s core business is related to information technology. Thus, to the extent that a company’s professional services relate to cyber data, an E&O policy could be triggered in the event of a cyber breach.
While a company may be able to obtain some coverage under a GL, D&O or E&O policy for claims arising out of a cyber data breach, this coverage does not cover all the potential claims that may arise. For example, regulatory investigations will often not be covered by a GL or D&O policy, as such claims do not fall within the defined coverage of those policies. Additionally, individual claims alleging breach of contract or misappropriation of intellectual property will also not be covered under any of the foregoing policies, due to typical exclusions in the policies. Thus, a company may still face liability resulting from a cyber breach even if it possesses a GL, D&O and an E&O policy.
As a result, many companies are opting to purchase separate cyber liability policies to cover these risks. Cyber liability policies typically include coverage for compliance with cyber breach notification laws, including forensic investigation and credit monitoring, as well as the costs to defend civil suits and regulatory actions related to the cyber breach. Cyber liability policies are becoming more common, but there is no standard policy language. As such, a company should thoroughly review the terms of any proposed policy to ensure adequate coverage.
In light of the increasing frequency and costs of cyber breaches, a company’s best course of action is to fully evaluate the cyber risks, determine the amount of insurance coverage available, and determine whether that coverage is sufficient based on the risks. Given the potential exposure of a cyber breach and the scope of coverage under GL, D&O, and E&O policies, standalone cyber liability policies should be strongly considered.
Christopher Nucifora is the managing partner, and Amanda Griner and Edward Patrick Abbott are attorneys, at Kaufman Dolowich & Voluck, LLP. Mr Nucifora can be contacted on +1 (201) 708 8207 or by email: email@example.com. Ms Griner can be contacted on +1 (516) 681 1100 or by email: firstname.lastname@example.org. Mr Patrick Abbott can be contacted on +1 (201) 488 6655 or by email: email@example.com.
© Financier Worldwide
Christopher Nucifora, Amanda Griner and Edward Patrick Abbott
Kaufman Dolowich & Voluck, LLP