By Robin Kester*
“Either you have been data breached or you just do not know that you have been data breached.”
I. The Rise of Cyber Insurance
Many companies are attempting to mitigate their risks with cyber liability insurance as a result of the highly publicized data breaches of Target, Home Depot, Niemen Marcus, and Sony Pictures Entertainment. A data breach can lead to lawsuits brought under legal concepts of invasion of privacy, negligence, breach of contract, defamation, etc. When “business data is destroyed, stolen, hacked, extorted, [or] compromised, cyber insurance benefits kick in to minimize and indemnify companies for losses to others.”
Under certain statutes and regulations, companies are required to report data breaches where there has been a disclosure of personal information. At least 47 states have some form of a mandatory breach notification law that applies to educational, private, and governmental organizations. Fines can be imposed if a company fails to notify the public.
II. Types of Coverage
First party insurance policies generally cover an organization’s expenses with an associated data breach such as the public notification requirement, investigation, crises management, remediation, and costs associated with bringing in outside vendors. Third party coverage generally protects the organization against liability and defense costs with respect to customer claims and regulatory schemes.
Some examples of policy coverage are the following:
- Exposure of confidential information and a breach of an organization’s computer network security.
- Intellectual property theft and extortion
- Business interruption
- Reputational damage
- Costs associated with replacing an organization’s digital assets
- “Rogue employees”
- Security audits, post incident public relations customer credit monitoring services, investigative expenses and criminal reward funds.
III. Policy Exclusions
It’s important to note that cyber insurance policies can be limited in the scope of their coverage. The following are generally excluded from cyber policy coverage.
- Breaches of protected information in paper files.
- Claims brought by the government or regulators, including the Office of Civil Rights, the Department of Health and Human Services, and the Office of the Attorney General.
- Vicarious liability, for data entrusted to a third-party vendor, when the breach occurs on the vendor’s system.
- Unencrypted data.
- Claims based upon negligent computer security.
- War and cyber terrorism.
IV. Determining Cyber Risk and Evaluating Cyber Insurance Premiums
With respect to life insurance, actuarial science was developed as a result of a need to establish the cost of life insurance premiums and life annuities. Over time, mortality tables were created to determine these values and the likelihood of a person’s death. Car insurance premiums are also based on factors including a person’s age, gender, driving record, make and model of the car, where the car is parked, etc. But, how is an organization’s risk to cyber exposure determined, and how is a premium evaluated for cybersecurity insurance?
One of the problems with cybersecurity insurance and cyber risk is that it is so new that there is “a lack of historical data attributed to cyber-attacks that can be used to estimate probabilities of loss and calculate loss values. This absence of data makes it difficult to determine appropriate premiums.”
“[C]yberattacks don’t just happen to big companies.” In fact, “71 percent of cyber-attacks occur at businesses with fewer than 100 employees.” Nonetheless, insurance companies must come up with some factors in order to determine the policy premium such as a “company’s industry, services, data risks and exposures, computer and network security, privacy policies and procedures and annual gross revenue.” Other factors such as the number of employees, the country the company is based in, the type of data the company generally handles, and the number of countries the company has business with (global footprint) can also be used in assessing the cost of a data breach.
Many data breaches are often not reported. “[T]he lack of credible data on losses and the potential risk accumulations have made insurers cautious, resulting in some offering relatively small limits.” In addition, “over the last 15 years, the cyber insurance market has grown from about 10 insurers to about 50 carriers providing stand-alone cyber insurance, generating $2.75 billion in gross written premiums (GWP) in the U.S. [in 2015].”
Since publicly traded companies must disclose data breaches, this should help provide more actuarial data going forward. Thus, the cost of cyber insurance premiums should be able to be calculated with more accuracy in the future.
V. Policy Language and Caps on Policies
Another criticism of the cyber insurance market is the lack of uniformity in the underwriting process. Over the years, insurance policy terms in general have become more standardized, and the meanings of the terms are uniformly understood as a result of litigation and steady changes in the law. To that end, “[t]his is why most standard policies today by and large say the same thing.”
However, the terms used in cyber insurance policies can vary and can have multiple meanings in different jurisdictions due to the constant change in cyber risk. As a result, litigation over disputed policy language is expected in the near future.
Cyber liability insurance companies also generally place caps on their payouts. For example, when Target had a data breach, its cyber insurance covered only 36% of its data breach costs.
Although cyber liability insurance is available, purchasers should carefully read their contracts and choose policies that fit their needs. Businesses should carefully review and understand what types of claims are covered and excluded as well as understand any caps on payouts. Finally, soliciting bids from multiple insurance companies will help in negotiating better terms and coverage.
* Robin is a solo law practitioner in Greensboro, NC at the Law Office of Robin L. Kester. She received a B.S. degree in Computer Science from High Point University, an M.S. degree in Computer Science from Wake Forest University, and a J.D. from Elon University School of Law. Robin’s practice areas include general business formation, technology consulting, contract review/drafting, and providing estate planning services.
 Sarb Sembhi, An Introduction to Cyber Liability Insurance Cover, Comput. Weekly (July 2013), http://www.computerweekly.com/news/2240202703/An-introduction-to-cyber-liability-insurance-cover.
 Vijay Basani, Opinion: Cybersecurity Insurance – Weighing the Costs and the Risks, MarketWatch (Mar. 25, 2015), http://www.marketwatch.com/story/cybersecurity-insurance-weighing-the-costs-and-the-risks-2015-03-25/print. Although cyber insurance has been around for the last decade, it is relatively new to the insurance market. Maria Clark, Companies Consider Cyber-Insurance for Attacks, ThinkITSolutions (Feb. 20, 2015), http://www.thinkitsolutions.com/industry-news-item/; Sembhi, supra note 1.
 Basani, supra note 2; David Bisson, Sony Hackers Used Phishing Emails to Breach Company Networks, TripWire (Apr. 22, 2015), http://www.tripwire.com/state-of-security/latest-security-news/sony-hackers-used-phishing-emails-to-breach-company-networks/. Steve Embry, Cyber Insurance: Panacea or Pandora’s Box?, ABA Law Practice Today (Jan. 14, 2016), http://www.lawpracticetoday.org/article/cyber-insurance-panacea-or-pandoras-box/.
 3 New Appleman Law of Liability Insurance, § 18.02 (Matthew Bender, Rev. Ed.)
 Basani, supra note 2.
 New Appleman Law of Liability Insurance, supra note 4; Basani, supra note 2.
 Security Breach Notification Laws, Nat’l Conference of State Legislatures (Jan. 4, 2016), http://www.ncsl.org/research/telecommunications-and-information-technology/security-breach-notification-laws.aspx. North Carolina has enacted the Identity Theft Protection Act, which imposes certain obligations to businesses regarding social security numbers and other client personal information. N.C. Gen Stat. § 75-60 (2005).
 Peter K Rosen, et. al, Cyber Insurance: A Last Line of Defense When Technology Fails 5 (Latham & Watkins) (2014).
 Eric G. Orlinsky, Kathryn L. Kickey, & David T. Shafer, Cybersecurity: A Legal Perspective, 47 Md. B.J. 32, 35 (2014).
 New Appleman Law of Liability Insurance supra note 4, at § 18.03.
 Basani, supra note 2.
 Cybersecurity, Nat’l Ass’n of Ins. Comm’rs, http://www.naic.org/cipr_topics/topic_cyber_risk.htm (last updated Jan. 25, 2016).
 A rogue employee is generally a disgruntled employee who intentionally sells or discloses a company’s business secrets. Lisa, Rogue Employee, Hillcrest Agency (Jul. 7, 2014), http://www.hillcrestagency.com/rogue-employee/.
 Basani, supra note 2.
 Taylor Armerding, Cyber Insurance: Worth it, But Beware of The Exclusions, CSO (Oct. 20, 2014) http://www.csoonline.com/article/2835274/cyber-attacks-espionage/cyber-insurance-worth-it-but-beware-of-the-exclusions.html (citing Kevin Smith, How Cookie-Cutter Cyber Insurance Falls Short, Dark Reading (Oct. 6, 2014), http://www.darkreading.com/perimeter/how-cookie-cutter-cyber-insurance-falls-short/a/d-id/1316365?_mc=RSS_DR_EDT).
 Sid Yenamandra, Thinking About Cyber Insurance? Watch Out For These 5 Exclusions…, Entreda (Mar. 23, 2015), http://www.entreda.com/#!Thinking-about-cyber-insurance-Watch-out-for-these-5-exclusions/ccqk/55b9269b0cf27acb2d8c134d.
 Cyber Insurance and The Terrorism Exclusion…, Cyber Risk & Ins. Forum, http://www.cyberriskinsuranceforum.com/content/cyber-insurance-and-terrorism-exclusion (last visited Jan. 23, 2016); Roberta Anderson, Does Your Cybersecurity Policy Cover Cyberterrorism?, Cyber Risk Network (June 5, 2014), http://www.cyberrisknetwork.com/2014/06/05/cybersecurity-policy-cover-cyberterrorism/.
 E.A. Lew & Frank A. Weck, Actuarial Science: A Survey, 1951 Ins. L.J. 946.
 What Determines the Price of My Auto Insurance Policy?, Ins. Info. Inst. http://www.iii.org/article/what-determines-price-my-auto-insurance-policy (last visited Jan. 21, 2016).
 Joe Calandro, Eric Matrejek & Neal Pollard, PricewaterhouseCoopers, Managing Cyber Risks with Insurance: Key Factors to Consider When Evaluating How Cyber Insurance Can Enhance Your Security Program, (2014), https://www.pwc.com/us/en/increasing-it-effectiveness/publications/assets/pwc-managing-cyber-risks-with-insurance.pdf.
 Nicole Fallon, Cybersecurity: A Small Business Guide, Bus. News Daily (Jul. 28, 2015), http://www.businessnewsdaily.com/8231-small-business-cybersecurity-guide.html.
 Big Threat: Protecting Small Businesses from Cyber Attacks, Small Bus. Comm. (Apr. 22, 2015), http://smallbusiness.house.gov/news/documentsingle.aspx?DocumentID=398099.
 Christine Marciano, How Much Does Cyber/Data Breach Insurance Cost?, Data Breach Ins. (Feb. 1, 2016) https://databreachinsurancequote.com/cyber-insurance/cyber-insurance-data-breach-insurance-premiums/.
 Data Breach Risk Calculator, IBM, http://www.ibmcostofdatabreach.com/ (last visited May 4, 2016). “The average cost paid for each lost or stolen record containing sensitive and confidential information increased 6 percent, jumping from $145 in 2014 to $154 in 2015.” Larry Ponemon, Cost of Data Breaches Rising Globally, Says ‘2015 Cost of a Data Breach Study: Global Analysis’, Sec. Intelligence (May 27, 2015), https://securityintelligence.com/cost-of-a-data-breach-2015/.
 Alex Wright, Cyber Market Dramatically Increases, Risk & Ins. (Dec. 1, 2015), http://www.riskandinsurance.com/cyber-market-dramatically-increases/.
 Embry, supra note 3.
 Id. Litigation has been the insurance industry’s traditional way of resolving these matters. Id.
 Target’s Cyber Liability Insurance Covered 36% of Its Data Breach Costs. How Much Does Yours Cover?, InsureOn (March 24, 2015), http://www.insureon.com/blog/post/2015/03/24/how-much-does-your-cyber-liability-insurance-cover.aspx. Target had an excess of $252 million in total costs. Id.