Any business which uses computer networks and other technological services is increasingly at risk of cyber-attacks by criminals ranging from “lone wolf” hackers to foreign governments and even competitors. As news about these brazen acts become more common, small companies and large corporations alike are devoting more attention to preventive measures to avoid large financial losses and potential lawsuits resulting from such attacks.
Cybersecurity insurance protects businesses against financial losses caused by cyber incidents, including data breaches and theft, system hacking, ransomware extortion payments and denial of service. For small businesses that store sensitive information online, this coverage is all but essential. Businesses that store personal data such as phone numbers, credit card information or Social Security numbers are especially at risk of a cyberattack and could benefit from cybersecurity insurance. Legal counsel can assist businesses in evaluating existing coverages and determining the need for additional insurance of all types, including in this fast-emerging area.
Cybersecurity insurance is generally offered as either first-party or liability coverage. First-party coverage provides financial assistance to help an insured business with recovery costs. Policies commonly cover the cost of notifying customers about the cyber incident and providing them with anti-fraud services such as credit monitoring. Cybersecurity liability coverage protects a business when a third party sues the policyholder for damages resulting from a cyber-attack.
A technology firm should also consider adding technology errors and omissions (“E & O”) coverage as well. This additional coverage commonly pays for items similar to that of cybersecurity liability insurance, such as legal fees, court costs, and judgments or settlements but only in covered circumstances relating to products or services.
Businesses that store their own financial data and any personal customer or client data should at least consider first-party coverage. For example, a business that is the victim of a ransomware attack can lose valuable data, such as financial records, if it is unable to respond to the payment demands. With first-party coverage, the business’s insurer will typically cover part or all of the ransom payment, depending on the coverage limits of the policy. Companies and firms that store more significant personal information about employees and customers should consider liability coverage, also known as third-party coverage, to cover legal fees and judgments in cases where the business is sued for damages caused by a cyberattack.
Cybersecurity insurance usually only covers monetary damages, and not for any property damage stemming from a data breach or cyberattack, such as damage to computer hardware. These sorts of claims are usually considered part of commercial property insurance coverage.
Protective measures to avoid a future cyberattack are also not traditionally covered by a cybersecurity policy. This includes training employees on cybersecurity awareness and setting up a virtual private network.
As more and more companies are learning about potential vulnerabilities of their computer networks, they are no longer taking for granted that firewalls and other protective measures will prevent attacks that might jeopardize their entire business operation, causing at least shutdown, and possibly even permanent closure and financial ruin. Consulting with counsel as well as other professional advisors can be a worthwhile investment to ensure that any losses incurred in such instances can be kept to a minimum through insurance and other practical measures.
For more information, Stewart Banner