Data Breach Response: The importance of cyber insurance

Ask an insurance broker, and they will tell you that an insurer needs claims in order to survive. Ask an InfoSec expert, and they will tell you a data breach is inevitable. This is why cyber insurance has come of age. In this article, Pádraig Walsh from the Privacy and Cybersecurity practice group of Tanner De Witt looks at the importance of cyber insurance as a critical part of a data breach response strategy.

Risk management

Why do businesses take out insurance? It is all about risk management. A business may be able to exclude or limit liability by contract. Risk can be managed and mitigated by policy, process and training. Some risk can be absorbed as a cost of business. Certain risks, though, can be catastrophic and also have a reasonable probability of occurring. This is the sweet spot for insurance. Insurance is a form of risk transfer in which the financial responsibility for costs arising from certain risks is transferred from the business to the insurer in accordance with the policy.

Insurance responds to the business risk environment. 30 years ago, cyber insurance was not attractive. In the past five years, in particular, it is practically a business necessity. This is insurance responding to the cyber risk environment.

Coverage

The scope of coverage under a cyber policy should be carefully reviewed. In general, the cover will include:

Direct loss: Cyber insurance will cover the direct loss that flows from a cybersecurity incident or data breach. This will include:

• Technical IT costs. These are the costs incurred in the forensic IT review and response to the data breach. Technical experts are typically engaged to identify the cause of the breach, restore the IT systems, and build more resilient systems. This is the most significant cost in a data breach response.
   
• Legal costs. This will typically include legal costs in respect of notification procedures, legal proceedings, and regulatory investigations.
   
• PR costs. This will include the costs of public relations firms to co-ordinate the communications in respect of the data breach.
   
• Hotline costs. Frequently, a hotline will be set up so that the business can respond directly to queries of data subjects or other people affected by the breach.
   
• Administrative fines. A data protection authority may impose an administrative fine in respect of a data breach, and cyber insurance will cover the amount of the administrative fine. Any cover for fines would be qualified by exclusions in respect of intentional, reckless or criminal acts.

Third-party risk: Cyber insurance can also cover loss suffered by the business arising from a security incident of another business. This is particularly relevant given the increasing number of supply chain data breaches.

Geographical cover: Data makes money when it moves. A business’ data will often be held in multiple locations, and the data subject or other affected persons may be in a number of places. The policy cover should include losses that arise in other places where you conduct business.

Insurance can be customised. Cyber insurance could cover more than this general summary. Each business should discuss its cyber insurance needs carefully with its broker.

Exclusions

All policies will contain exclusions from cover, which means that the policy will not pay out for those excluded matters. Common exclusions are:

Reputational loss: Data breaches can have a significant adverse consequence to the reputation of a business. For large publicly listed businesses, it may even be possible to measure the reputational loss that can be attributed to the data breach. However, normally, reputational loss is a subjective assessment that is inherently difficult to assess and is therefore excluded from cover under a cyber insurance policy.

Intentional, reckless or criminal acts: This is a common exclusion. A policy won’t cover loss, fines or penalties that arise from intentional, reckless or criminal acts.

There are other common exclusions, and these should be reviewed carefully.

Getting cyber insurance

A business should speak to its normal insurance broker if it wishes to review its cyber insurance coverage. The insurance broker will help the business to assess its needs, match those needs to the most suitable available policy in the market, and complete the assessment and application for insurance. The assessment for cyber insurance is rigorous and will include an assessment of current IT systems and information security policies. Other relevant factors will be the geographical coverage needed, size of the business, the number of employees, and claims history and track record.

Different pricing options may be possible according to the deductibles and coverage limits or sub-limits that are negotiated.

Closing thoughts

A data breach is inevitable. Resilient systems, good policies and procedure, and regular training are all necessary and all help to manage cyber risk. Still, even for businesses with good cyber hygiene, a data breach is inevitable.

The key advantage of cyber insurance is that the business does not have to suffer a substantial part of the financial loss arising from a data breach. That risk is transferred. The business can continue and survive, even after a catastrophic event.

Cyber insurance is not an optional extra. It is a core business need. No data breach response plan is complete without it.

Pádraig Walsh

If you would like to discuss any of the matters raised in this article, please contact:

Disclaimer: This publication is general in nature and is not intended to constitute legal advice. You should seek professional advice before taking any action in relation to the matters dealt with in this publication.