Although cyber policies still provide tremendously valuable coverage for breach events, they’ve come a long way since then. Recent iterations of cyber policies go far beyond data breach coverage and offer protection against a wide range of the most vexing cyber threats and privacy exposures affecting companies in every business sector.
Some of the key cyber exposures for which coverage may be available are:
Coverage is generally available for ransomware payments, as well as for other types of cyber extortion, such as threats to publicly disclose protected information or to interrupt computer systems. Coverage typically includes response services, and insurers can assist with ransom negotiations. Some insurers also will assist with obtaining digital currency to pay ransom demands.
Some insurers offer coverage under cyber policies that expressly applies to social engineering attacks — i.e., phishing, business email compromise — that result in the transfer of company funds to unintended third parties.
Coverage for Senior Executive Losses
At least one insurer provides coverage for identity theft and theft of funds from personal bank accounts of executive officers resulting from a third-party breach of the company’s network security.
Corporate Identity Theft
Coverage may be available for losses incurred as a result of fraudulent use of the company’s electronic identity, including the establishment of credit in the company’s name, electronic signing of the contract, and the creation of a website designed to impersonate the company.
Contingent Business Interruption
Some insurers offer coverage for loss of business income, forensic expenses, and extra expenses sustained as a result of the interruption of the insured’s business operations caused by an unintentional and unplanned interruption of computer systems operated by a third party business that provides necessary products or services to the insured pursuant to a written contract. This coverage can be especially valuable in today’s digital and interconnected economy.
Although cyber policies typically exclude coverage for damage to tangible property, some carriers have introduced endorsements that are triggered when a hacking event causes the “bricking” (loss of use or functionality) of the insured’s computer hardware or electronic equipment by maliciously reprograming the software installed on that hardware or equipment. Bricking coverage applies to the costs to repair or replace the affected hardware or equipment when it would cost more to reinstall software.
A particularly valuable new coverage is now offered by some insurers for improvements to the insured’s hardware or software following a security breach that exploited a weakness in the insured’s computer system. Coverage is available if it is determined that such improvements will reduce the risk of a future breach related to that weakness.
Consequential Reputational Harm
Some carriers are offering coverage for lost profits associated with the loss of current or future costumers because of reputational damage resulting from a covered cyber event. The lost profits must have been incurred during a “reputational harm period,” a designated window of time following discovery of the cyber event.
Loss Adjustment Costs
Calculating the costs associated with a system damage or business interruption insurance claim can be complicated business, particularly when costs must be allocated to an uninsured waiting period designated in the policy form. Some cyber carriers are providing coverage for the cost to retain professionals, such as forensic accountants, to assist the insured in the calculation of its financial loss.
Invoice Manipulation Loss
Many insurers are now offering coverage specifically designed for phishing attacks and other schemes to trick the insured company into transferring funds to a fraudster instead of to an entity to which the insured owes money. Now, at least one insurer provides coverage to companies that have been unable to collect payment for their goods and services as a result of an “invoice manipulation loss.” Invoice manipulation means the release or distribution of a fraudulent invoice or payment instruction resulting from a security or privacy breach. The policy covers the insured’s net cost to provide the goods or services, exclusive of profits.
Corporate Identity Theft
Coverage now is offered by some carriers for financial loss resulting from the fraudulent use of the insured’s electronic identity, including the establishment of credit in the insured’s name, electronic signing of contracts, and creation of a website designed to impersonate the insured.
Companies may be able to obtain coverage for losses resulting from the hacking of their telephone system, including reimbursement of costs for unauthorized calls and use of the company’s bandwidth.
Coverage may be available for senior executive officers if they are sued in connection with a covered cyber event.
A Word of Caution
The coverages described above may not be available from all insurers, and not all insureds will qualify for all types of coverage. In addition, some coverages may be subject to sub-limits and important conditions, such as requiring the insurance company’s consent before incurring any expenses.
Cyber insurance isn’t just for companies with large amounts of credit card data. Coverage is constantly evolving to address emerging cyber risks from which no company is immune. Companies should carefully consider how a well designed cyber insurance policy can protect them from the expense and disruption of today’s pervasive cyber threats.