A common question we often hear CEOs, CFOs and directors of businesses and public and private institutions ask is, “What terms and conditions should I consider when buying cyber insurance?” We have compiled a list of some of the most important terms and conditions to consider. However, you should discuss more nuanced industry and organization specific terms and conditions with your broker and insurance coverage attorney.
1. Crisis Services
Crisis services include the costs for computer forensic investigations to determine the cause of the data breaches, obtaining legal guidance, notifying victims, providing credit monitoring to the victims, and promoting media or public relations campaigns. According to Net Diligence’s 2014 Cyber Claims Study, almost half of the total amount of insurance company payouts from data breaches was for crisis management services. The Ponemon Institute’s 2014 Cost of Data Breach Study: U.S. also reported unusually high churn rates following news of data breaches. Your organization will want professional assistance to communicate to your customers, regulators, business partners and vendors that you are taking appropriate and reasonable steps to protect your customers with respect to any loss of data and that you will take reasonable steps to try and safeguard your customers’ data going forward.
2. Regulatory Defense (including fines and penalties)
Regulatory agencies, such as the Federal Trade Commission and Department of Health and Human Services, actively investigate data breaches within their jurisdictional powers. There are many examples of corrective actions, penalties and fines imposed by the Office of Civil Rights on behalf of HHS for HIPAA violations, including the $4.8 million in HIPAA settlements following the data breaches at New York-Presbyterian Hospital and Columbia University. This is especially important to keep in mind if your organization is a healthcare provider (a HIPAA-covered entity) responsible for its patient information or has a self-funded health plan (a separate type of HIPAA “covered entity”) where your organization is ultimately responsible for the security of the plan participants’ data. Many policies have a sublimit for regulatory defense. You may think you have a $10 million policy, only to find out that you have a sublimit for regulatory defense of $500,000, which may leave you woefully underinsured. Net Diligence reported that the average healthcare sector payout in 2014 was $1.3 million, with the median regulatory defense payout being a little more than $1 million and the mean regulatory settlement cost being $937,500.
3. Prior Acts Coverage/Retroactive Date
Prior acts coverage provides protection against prior acts that may lead to a claim during the policy period. The “retroactive date” is the date when your coverage begins, and can be subject to negotiation. Although Verizon’s 2015 Data Breach Investigations Report noted that the time from compromise to discovering the compromise is at its smallest deficit ever recorded (days or less, 45% of the time), data breaches can take many months to detect. Here is a common example: On Jan. 1, 2015, a particular program offers a patch to mitigate certain security vulnerabilities. A hacker finds that your company failed to install the patch and uses it as a means to enter your network, sets up a program to start filtering and collecting your data and then installs the patch to prevent detection of the intrusion. You apply for cyber insurance soon thereafter. Just after closing the 2015 Christmas holiday shopping season, the hackers send your data out, at which point you detect the intrusion. Your insurer subsequently notifies you that it is denying coverage for the claim because of prior acts that occurred before coverage began. This is why you want the broadest “prior acts” coverage possible. You may also want to negotiate an extended reporting period, as a subsequent insurer may claim that the data breach events did not occur during its policy period.
4. Network Business Interruption Coverage
This covers certain losses while your network is interrupted as a result of a data breach. This is especially important if your organization engages in e-commerce. How much profit would you lose if your organization was down for several days while law enforcement and your computer forensics consultants investigated the cause of a data breach?
5. Contingent Business Interruption Coverage (resulting from the acts or omissions of third parties)
Many organizations rely on third parties for processing data. For example, many healthcare providers rely on third-party billing companies and clearinghouses to process payments, making them “business associates” under HIPAA. Similarly, self-funded health plans frequently contract with third-party business associates for claims management and other plan administration functions. If the business associate suffered a data breach affecting your patients’ (or enrollees’) data, your organization may bear the ultimate responsibility for the breach. Accordingly, your organization will want coverage to offset this potential loss. Your organization may also want to consider negotiating the self-insured retention or deductible in case of a loss so that the third party is responsible to pay for the deductible if it results from the third party’s acts or omissions.
6. Defense Option/Reimbursement of Costs
Some cyber insurance policies require the insurance company to hire consultants and attorneys to defend your organization, while others agree to reimburse reasonable and necessary costs. Using your own consultants and attorneys make sense if they know your system and are familiar with your business, so you won’t have to pay for them to come up to speed on your organization. You will want to consider which path you will want to take.
7. Costs of Restoring and Recreating Data
The cost to restore or recreate data if taken or damaged can be extensive. Your organization will need to assess the cost of this coverage and its need.
8. Extortion Coverage
Criminals continue to run phishing scams where a user clicks on a link that serves to encrypt a laptop or other computer. Oftentimes, one laptop or computer can infect others, and you’ll want to negotiate this coverage to simply pay for the data to be restored.