The frequency, scale and sophistication of cyber security breaches continues to escalate. In the COVID-19 era, new cyber security threats have emerged as a result of the workforce shifting primarily to remote work environments.
In light of the ongoing and evolving threat of cyber security breaches, including new attacks seeking to exploit less secure remote work environments, companies should be aware of the variety of insurance that may provide coverage for losses resulting from a cyber security incident as well as potential insurance coverage issues that may arise when seeking coverage under a cyber insurance liability program.
Coverage for Cyber-Related Losses Exists in Different Types of Policies
As an initial matter, it is important to realize that cyber security incidents may give rise to a variety of different types of losses, including a combination of first party losses directly incurred by the policyholder as well as third party liabilities stemming from the incident.
The losses may not all be covered by your specialty cyber insurance policy. It is, therefore, critical to recognize the different types of coverages provided under all your policies that may triggered, including but not limited to:
- First Party Property Policies, which may include coverage for property damage to computer equipment and hardware and business interruption coverage for business operations impaired as a result of a cyber security incident;
- Directors and Officers Liability Policies, for government investigations, regulatory or enforcement actions, consumer class actions, shareholder derivative suits and securities class actions for, among other things, privacy violations or failure to adequately disclose cyber security-related issues in corporate disclosures; and
- Crime Policies, to cover loss of funds as a result of a fraudulent funds transfer, employee theft or forgery.
If you experience a cyber incident, check all your policies to see which ones may respond and provide notice under all policies that could potentially provide coverage.
Typical Cyber Insurance Coverages
Although coverage is likely to differ from policy to policy, cyber policies typically include coverage for the following types of losses:
- Forensic Investigation of Cyber Incident — the costs incurred to hire expert consultants to determine the cause and extent of the breach.
- Restoration of Digital Assets and “Computer System” — the costs to restore or replace lost digital assets and restore the capacity or functionality of the “Computer System” to its pre-breach level.
- Cyber Extortion — ransomware paid to stop an attack or return access to a company’s system or stolen information.
- Business Interruption Losses — lost profits resulting from the inoperability of the “Computer System” because of a cyber incident.
- Event Management — costs to notify third parties regarding the potential compromise of their personal information and related costs for credit/identity monitoring.
- Privacy Liability — costs to defend against consumer class actions or other third party liability from the cyber incident.
- Regulatory Fines and Penalties — legal fees, fines and penalties as a result of a regulatory investigation for violation of privacy laws.
Potential Coverage Issues Under Cyber Policies
Policyholders that are aware of the limitations to coverage under cyber insurance policies will be better equipped to navigate the claims adjustment process should they be faced with cyber-related losses. Because each policy is different, it is important to review your individual policy and understand its coverages and exclusions.
1) Insurance Companies Typically Argue that “Upgrades” and “New Functionality” Are Not Covered
Generally, cyber policies cover the costs to restore your digital assets and the capacity or functionality of your “Computer System” to pre-breach levels. Insurance companies typically take the position that they will only cover the costs to repair or replace what you had before.
To avoid protracted claims adjustment processes and potential litigation, policyholders are advised to assess their cyber security systems, controls and policies before experiencing a cyber incident in order to identify and remediate any system vulnerabilities. This is particularly important in the current remote working environment.
2) Coverage to Restore “Computer Systems” May Be Limited
Coverage for restoration of a “Computer System” can broadly include hardware and software, electronic data, firmware and system devices and peripherals. Some policies, however, define “Computer System” more narrowly, potentially limiting coverage.
For example, some policies do not include hardware in their definition of “Computer System” or limit coverage to hardware and peripherals owned by the policyholder.
In light of the increase in remote working, much of which involves the use of personal employee-owned devices, you should review your cyber policy, including the definition of “Computer System,” to determine whether the policy covers home office and other personal computing devices owned by your employees.
3) Business Interruption Losses Require Proof of Causation
Generally, cyber policies will offer coverage for business interruption (BI) losses sustained during the period of interruption caused by a cyber incident. Such coverage typically is limited in time, even though it may take longer to restore system operability.
BI claims made under cyber policies are susceptible to challenge regarding causation and methodology. In preparing the BI component of a proof of loss quantifying the amount claims, it is important to ensure both that the quantification of such losses is calculated using a methodology generally accepted within the applicable industry and that a causal connection can be shown between the losses claimed and the cyber incident.
In the context of the current pandemic, insurance companies may challenge a policyholder’s claim for BI losses on the basis that the losses are attributable to the COVID-19 shutdown — and were not caused by a cyber incident. To recover on such a claim, the policyholder will have to demonstrate that the losses were caused by the cyber incident and not a result of something else — such as the pandemic.
4) Other Insurance Coverage Issues
Where other types of insurance policies may provide coverage for particular cyber-related losses, cyber insurance companies may attempt to avoid or limit their exposure by invoking “other insurance” provisions in their cyber policies to argue that a different policy must respond to the claimed losses first.
The purpose of “other insurance” clauses is to prevent over-insurance and double recovery under different insurance policies. Notably “other insurance” provisions are triggered only where two or more policies cover the same type of risk during the same period of time.
Cyber-related claims made under different types of policies arguably may cover different risks during different time periods, thereby foreclosing a cyber insurer’s ability to invoke the other insurance provision to reduce or limit its liability.
Every cyber incident and claim is different, and in the era of COVID-19, those incidents and claims are likely to continue to evolve.
A policyholder can best protect its interests by ensuring that it has adequate cyber security controls in place before experiencing a cyber incident, including controls to strengthen the integrity of its remote work environments and by reading and understanding the coverages provided under its cyber insurance and non-cyber specific policies.
Consultation with a professional broker or coverage counsel may assist in understanding what your policies cover and offer tangible advice on how to maximize potential coverage.
 See AMHS Ins. Co. v. Mut. Ins. Co., 258 F. 3d 1090, 1097 (9th Cir. 2001); Fed. Ins. Co. v. Firemen’s Ins. Co., 769 F. Supp. 2d 865, 876 (D. Md. 2011); Boston Gas Co. v. Century Indem. Co., 454 Mass. 337, 361 n.36 (Mass. 2009); Travelers Ins. Co. v. Lopez, 93 Nev. 463, 469 (Nev. 1977).