June 15, 2020 BY Eric Mull
Coverage Issues Related To Remote Access Breaches - Part Two: What Damages Are Covered?
This article is the second of several articles addressing various cyber insurance issues that may arise in connection with a company’s claim relating to data breaches. The focus of this article explores the type of damages covered under the typical cyber insurance policy when there is a covered data breach.
As highlighted in our first article, every company faces the risk of cyber attack, no matter the size of the company. Cyber insurance is designed to protect companies from this risk by providing two coverage components. The first coverage component is first party coverage, which provides coverage for lost income, extortion demands, required notification costs, or network/data restoration costs. The second component is third party coverage, which provides for defense costs and coverage for settlements of claims and lawsuits that result from security failures. Generally, coverage for both components falls within the following categories:
1. Network Security
Network security provides coverage in the event of a network security failure, which can include a data breach, malware infection, ransomware, extortion demands, and e-mail compromise. In addition, network security covers costs that are incurred as a direct result of a cyber event, including legal expenses; credit monitoring; credit restoration; breach notification to consumers/customers; IT forensics; negotiation and payment of a ransomware demand; and data restoration.
2. Privacy Liability
Privacy liability provides coverage for liabilities arising out a cyber event or privacy law violation, which can result from both contractual liability or regulatory investigations by government agencies and law enforcement.
3. Network Business Interruption
Network business interruption coverage can provide coverage when a company’s network (or the network of a company they rely on) goes down due to a cyber event, providing coverage for lost profits, fixed expenses, and extra expenses incurred during the time business is impacted.
4. Media Liability
Media liability coverage provides coverage for intellectual property infringement that results from the advertising of a company’s services. This coverage can apply to both online (which can include social media posts) and print advertising.
5. Errors and Omissions
When a business is shut down due to a cyber event, the shut down often can hinders or prevents the company from fulfilling contractual obligations or delivering services to customers. E&O coverage provides coverage for claims that arise from errors and omission in the performance or failure to perform services. Such coverage can both address claims for negligence and breach of contract and can also provide for defense costs or indemnification in the event a lawsuit is filed by a customer or client.
In addition to these categories of damages, businesses should consider adding coverage for the following types of potential cyber event related damages:
- Social Engineering
Social engineering coverage is designed to protect companies from the fraudulent transfer of funds. For example, such coverage could provide protection when an employee is tricked to send money from a company account to a hacker.
- Reputational Harm
Reputational harm coverage provides coverage due to brand reputation damage following a cyber event.
This coverage provides replacement for technology and other equipment that is rendered useless as a result of a cyber event.
Whether purchasing a cyber policy as a basic endorsement to a general liability policy or as a stand-alone policy, companies should be aware of the potential damages that can result from a cyber event and work with their broker or agent to ensure that such damages are covered by the cyber policy that they select. In our next article, we will explore what damages are generally not covered by cyber insurance policies.