Do You (or Does Your Vendor) Need Cyber-Liability Insurance?

Petersen-Milt-OPTBy Milton L. Petersen, special to Business in Savannah

As our world continues to become increasingly networked and Internet-centric, data and security breaches are also becoming ever more frequent and commonplace. Sony, Target, Home Depot, Staples, JPMorgan Chase, and TJ Maxx are just a few of the well-known companies that have been subject to highly publicized security breaches in recent years. Many companies, both large and small, now consider it not a question of whether they will be hacked, but a question of how they will prepare for and mitigate the resulting damages when they are inevitably hacked one day.

Of course, a data or security breach could result in many different types of damages, not the least of which could be reputational damages to the applicable company. While it won’t necessarily protect against all of the potential types of damages, a “cyber-liability” insurance policy can be a useful and cost-effective tool in managing some significant risks relating to a data or security breach.

As with any other type of insurance policies, coverage (and associated limitations and exclusions) can vary widely under cyber-liability insurance policies (or under cyber-liability coverage added under other insurance policies, such as professional liability (errors and omissions) policies), and any policy providing cyber-liability coverage should be carefully reviewed in advance on behalf of the applicable insured by an appropriately qualified professional. However, cyber-liability insurance generally covers (and certainly needs to cover) certain costs and liabilities resulting from a security incident that are related to crisis management, including the costs of performing forensic investigations to determine the existence, nature, and extent of the breach, costs of notifying and providing credit monitoring to affected parties, costs of notifying and responding to regulatory authorities and other regulatory compliance-related costs (including any fines and penalties), public relations costs, costs of defending resulting lawsuits and paying applicable judgments and settlements, etc. Depending upon the applicable policy, cyber-liability insurance may also provide coverage for costs of responding to “ransom” demands by the perpetrators, for costs of restoring or recreating lost data, for lost revenue resulting from a security incident, and for actions and omissions of the insured’s third-party vendors. Again, careful review of cyber-liability coverage is critical.

Companies should consider using cyber-liability insurance in two different ways, both by maintaining cyber-liability coverage themselves and by contractually requiring their third-party vendors that provide services via the Internet (or that otherwise access, furnish, process, or store data electronically) to maintain cyber-liability coverage. No company outsources all of its systems, data, and business processes to third-party vendors, and there are cases in which contract terms are simply non-negotiable or the applicable customer lacks the leverage required to negotiate contract terms with the vendor. Therefore, it may make sense for a company to obtain cyber-liability insurance itself, to help manage and mitigate its risks. Despite increases in the number of reported security breaches, cyber-liability insurance premiums are purportedly decreasing, due to both increased competition as more insurers enter this market and more historical data being available on data security risks.

However, as data security risks become more well-known and publicized, it is also becoming more common for vendors that provide information technology-related services to regularly maintain cyber-liability insurance, to help protect themselves and reduce their risks. Some vendors may even use their data security practices and policies as marketing or selling points. Thus, vendors may be willing to contractually agree, through negotiations, to maintain specified levels of cyber-liability insurance coverage and to other relevant data security-related terms (such as provisions regarding data security audits). Just like having an appropriately qualified professional review a cyber-liability insurance policy, an appropriately qualified attorney can help ensure that the terms of your information technology agreements appropriately protect and meet the needs of your company.