Large and small companies alike are being attacked by cyber-criminals and being held ransom. When this happens, some of these companies look to insurance to help alleviate the sudden financial sting of a cyberattack and to defray the costs of litigation. This in turn raises the question: what insurance options do companies have in the event they are held ransom by a cyberattack or their data is hacked?
According to the Insurance Information Institute, the U.S. market for cyber-liability insurance was estimated to be $2 billion in 2015. In ten years, however, it is estimated to rise to $20 billion. But this type of exponential growth will create problems for both insurers and companies alike.
Moreover, cyberattacks are constantly changing and will continue to escalate. Over the next ten years they are only going to intensify and become harder to identify.
It is therefore vital for businesses of all sizes to mitigate their financial risks through insurance as cyber-threats continue to increase every day. However, and unlike other insurance products, there are few standard policy forms in use today by insurers offering cyber-liability coverage. The lack of standardized forms is problematic given the evolving nature of cyberattacks. The lack of standardization also makes it difficult for companies to compare insurance products at the time of purchase. Moreover, hacking, phishing, cyber-extortion, and data ransom will be surpassed by unforeseen schemes in the future. We will see fewer calls to help a Nigerian prince get his money out of a war-torn nation, and in its place we will see more sophisticated and coordinated cyberattacks. So parties will be forced to litigate coverage disputes given the unforeseen nature of these schemes and the lack of standardized policies. Those issues are why a trusted legal advisor should be consulted at the time of purchase. Here are some key questions to consider when purchasing cyber-insurance:
• Are there any cyber-coverage provisions in my current general liability policy?
• Where is my greatest exposure to financial loss (customer records, intellectual property, etc.)
• What is the premium cost of cyber-insurance to protect against those risks?
• What is covered and what is excluded in a cyber-insurance policy?
• Does the policy cover damages related to a derivative legal action such as a shareholder’s suit? Is there any coverage for cyber-terrorism?
• Will the policy pay the legal fees entailed in defending against a plaintiff’s suit?
• What is the reputation and record of the insurance carrier in paying cyber-related claims?
• What should I do before an attack to document the value of my data and integrity of my network?
• What actions must I take immediately after a cyberattack in order to preserve the evidence of an attack and establish grounds for a claim?
• What information and documents are necessary for filing a claim?
• Can I file a claim when my confidential data is stolen from a cloud or managed service provider?
• If service providers are involved are they and their insurance carrier responsible for defending against any subsequent legal action?
Because of these complex issues, business owners should take the time to weigh their options and consult with their operational, technical, and legal advisors before purchasing, or renewing, cyber-insurance. Call me if you would like to have these issues addressed further.