Cyber insurance – a hot topic in the law of data security. Many insurance companies have started issuing policies for cyber incidents and cyber breaches – But, what should be covered under a cyber insurance policy? Since there is no standard policy for cyber insurance, you are likely to find vastly different policies from a number of difference insurance companies. Enterprises looking to use insurance to manage information security risk should understand that exactly what they’re buying since there’s not a lot of clear guidance on what is considered a good deal and what isn’t.

Often times organizations will purchase a policy and pay a premium thinking, “I’m covered!” Then an incident happens and the organization may say, “Well, I had a breach and I lost money,” or “My client sued me so this should be covered by our insurance policy.” Unfortunately, a breach occurring often results in the insurer comparing the details of the policy to what exactly happened in the security incident, informing the organization it isn’t covered under the policy.

There are currently several pending lawsuits in the United States regarding precisely whether a cyber insurance policy covers a particular kind of incident. Without any former precedent, it’s unclear how these lawsuits will play out. In upcoming years, we can anticipate to see many more of these instances in regards to cyber insurance policies.

Purchasing cyber insurance is very different than purchasing traditional insurance, like property insurance. Since property insurance has been around for well over a century, there is a lot of standardization around what is and isn’t included in a policy. Lots of organizations recognize the need for insurance, but when purchasing cyber insurance, know that the devil is in the details and be sure you’re buying the kind of policy you expect to get.

For more tips on cyber insurance, follow @BenjaminWright on Twitter. To learn how KirkpatrickPrice can help you with your compliance objectives, contact us today!

Video Transcription

Cyber Insurance – What is It and What is Covered Under a Cyber Insurance Policy?

A hot topic in the law of data security is cyber insurance. Many insurance companies have recently started to issue polices that are specific to cyber incidents and cyber breaches. This field is very unsettled – such that there’s no standard form for cyber insurance. There’s no standard way to state what’s covered under a cyber insurance policy. Therefore, there’s a lot to be learned by enterprises who might be interested in purchasing cyber insurance. You could consult a number of different insurance companies and find very diverse policies that are all called “cyber insurance policies,” but if you actually read the details of these policies, you can see that they cover many things. Therefore, from the point of view of an enterprise that is seeking to use insurance to manage its risk in the information security field, the organization is left without a lot of clear guidance on exactly what’s a good deal and what’s not a good deal.

One of the reasons that this is so confusing is that an organization will buy a policy, will pay a premium, and will think “I’m covered.” Then an incident happens and the organization says, “Well I had a breach and I lost money” or “My consumers sued me because I had a breach and I had to pay the consumer, so I need to be covered by this insurance policy,” but what can happen is after the breach has occurred, the insurer reads the details of the policy and compares it to what exactly happened and the insurer decides, “That’s not covered under the policy so you’re not going to get covered or get any kind of compensation.” Obviously, that’s very disconcerting from the point of view of the enterprise that purchased the cyber insurance policy.

As evidence of how much confusion is in this field, currently there are several lawsuits pending around the United States over the question of precisely whether a cyber insurance policy covers a particular kind of incident. What we see here is an emerging field of law where we don’t know what the outcome is going to be. We don’t know what will come of these lawsuits, and I anticipate that we’ll see a number of other lawsuits around this topic in the forthcoming years.

Thus, the purchase of cyber insurance is very different than the purchasing traditional commercial insurance, like property insurance. Property insurance has been around for well over a century and there’s been a lot of standardization around property insurance so that when an enterprise buys property insurance, they have a pretty good idea of what’s going to be covered – a fire, a flood, and so on. But in the cyber insurance world, we’re still in the Wild West.

Organizations still have strong needs to buy some insurance, but understanding exactly what you’re buying can be one of those matters where the details are the devil. You need to drill down to those details and possibly get very good advice from legal counsel or some kind of other advisor so that you make sure you’re buying the kind of policy that you actually expect to get.