The high incidence of ransomware attacks in 2021 has caused many major insurers to tighten the terms of their cyber liability insurance. AIG, for instance, announced its intention to do so in August, following an almost 40% increase in its premiums for cyber insurance. And given the current risk ransomware poses to US companies, it’s understandable.
Consider these figures:
- Reported ransomware payments in the United States reached $590 million in the first half of 2021, compared to a total of $416 million in 2020 (US Treasury).
- Data breach costs rose from USD 3.86 million to USD 4.24 million, the highest average total cost in the 17-year history of the “Cost of a Data Breach” report (IBM).
- The average cost of a data breach is USD 1.07 million higher where remote work was a factor in causing the breach (IBM).
Data breaches and ransomware attacks are incredibly expensive. It’s for this reason that companies turn to insurers for coverage.
What is cyber liability insurance?
Cyber liability insurance covers financial losses for data breaches, ransomware, and other cyber events and incidents. The level of coverage and circumstances covered vary widely from insurer to insurer and policy to policy. But, generally, coverage can be broken down into two categories: first-party coverage and third-party coverage.
First-party coverage insures certain out-of-pocket expenses for a business. The exact types of first-party coverage will be detailed in a policy document, but the covered expenses might include data restoration costs, notification costs, crisis management costs, and/or loss of income. Your policy may cover ransomware and other attacks by malicious actors, but you need to read your policy (or considering having your legal team review your policy). It’s a mistake to ever assume that insurance covers certain situations.
In every case, it’s important to consider expenses beyond the scope of your insurance. The costs of ransomware, for instance, extend far beyond the ransom itself. Your IT infrastructure will be out of action while the ransom is paid, which will affect operations, productivity, and profits. Following the breach, you can expect customer turnover due to loss of trust resulting in further costs to retain new customers and manage your reputation. In some cases, your cyber insurance may cover some of these costs (up to your policy limit), but it’s important to consider them when determining your actual risk stemming from a cyber attack.
Third-party coverage covers injured third parties stemming from the insured cyber event. This might include lawsuits resulting from a data breach, or the costs paid out to third parties to mitigate the impact of the cyber event – like if a business pays for credit monitoring where a data breach exposes customers’ credit card details.
Caution: Insurers are interpreting cyber liability insurance policies narrowly.
As a result of the increasing costs (and falling profitability) of cyber liability policies, as well as the changing risk landscape, we’re seeing insurers narrow their interpretation of cyber liability policies. Insurers are testing claims in courts around the US, contending that data destroyed or locked up during a ransomware attack isn’t ‘breached’ or that the equipment that has been locked up isn’t ‘damaged’, since there hasn’t been physical damage to the hardware.
It’s important to note that your company is also required to mitigate its losses as best it can during a cyber event. Essentially, if there’s something you could have done to reduce the financial cost of the cyber event, your insurer may not need to pay out any costs in excess of that lower amount.
So, what should companies do?
Planning is key to your company’s survival following a cyber event. You should work with your legal team and your IT team to develop robust protections designed to prevent cyber vulnerabilities, as well as a mitigation and action plan that kicks in if a cyber event occurs. Cyber liability insurance may be one piece of the puzzle in this plan, but it should not be seen as a complete solution.
If you need assistance developing robust cybersecurity and privacy risk management strategies for your company, reach out. Our cyber security and privacy attorneys would love to help.
The materials available at this website are for informational purposes only and not for the purpose of providing legal advice. You should contact your attorney to obtain advice with respect to any particular issue or problem. Use of and access to this website or any of the e-mail links contained within the site do not create an attorney-client relationship between CGL and the user or browser. The opinions expressed at or through this site are the opinions of the individual author and may not reflect the opinions of the firm or any individual attorney.