Privacy Liability/Network Security (i.e. Cyber Insurance) policies cover your organization for losses related to data breaches and privacy or security failures.
Below is an outline of the most important exposures to insure in a Cyber policy. Policies are broken down into First Party (losses only affecting you, the insured) and Third Party (losses affecting others and holding you liable).
Privacy breach liability
Amounts you owe to third parties, or employees, for damages caused by their private information getting into the wrong hands.
Costs of notification
Nearly all states mandate notification of individuals whose data has been breached. For those few states which do not require it, there may be federal laws requiring it if you are in certain industries.
Furthermore, depending on your industry and situation, you may need to engage in voluntary notification. The average cost of notification is $25-35 per person, which should give you an idea of the coverage limit you may need.
Regulators at state and federal levels investigate breaches and enforce actions against the business that allowed data to be breached.
Cyber: Common Coverage Gaps
Professional Liability (Tech E&O)
Professional liability is excluded from most cyber policies. This is a problem if you are technology or SaaS Company. In that case, you should procure a specially written policy called Tech E&O and Cyber, which will include all applicable exposures in one policy.
Cost of Notification sublimit
Failure to properly calculate your potential risk for notification costs can be a big mistake. The average cost of a notification is $25-35 per person. Ideally, this sublimit will be separate from your primary liability limits; otherwise you may run out of coverage just during the notification phase. If you are not required to notify following a breach (or potential breach), you may still want to engage in voluntary notification.
There are a lot of reasons for this and one of them is just for the sake of good business practices and PR. Either way, you may want to consider the broadest and most liberal coverage available for notification – for it to be triggered on a voluntary basis, in addition to when required.
Failure to Adhere to Cyber Security Practices
Most policies provide exclusions for your failure to adhere to security practices disclosed in the insurance application. Be sure you comply with the best possible cyber security practices, but especially those which you disclosed in the application process.
Definition of Personally Identifiable Information (PII)
This is an extremely important definition, so you want it as broad as possible. At minimum, it should include: social security numbers, driver license numbers, medical or health records, account numbers, financial records, credit card numbers and bank account numbers.
Retroactive Date Gap
When switching from one carrier to another, be sure the Retro date is matched by new carrier, as discussed towards the beginning of the Insurance section in this eBook.
Defense costs can mount very quickly with any type of Cyber liability claim. You have the option to buy a policy with defense costs outside the limit of liability. This is often advisable unless you’re on a very tight budget.
Defense costs on a serious claim can easily reach $500K to $1M which may not leave much for the settlement or judgement if you only carry $1M limit. This could also be an issue if you have more than one claim in a given year. Notification costs can also drive up your limit, among many other possible expenses associated with cyber breaches.