Client Alert: Cyber Insurance
Experience a cyber attack? Consider the following:
- Insurer consent
- Types of losses
- Preparation of the Proof of Loss
- Limits and sublimits of the policy
- Potential coverage under other policies
Cybersecurity Incidents Are Increasingly Common
Banks and financial institutions are prime targets for criminals. Most general liability and D&O insurance policies exclude coverage for cyber and electronic data losses or require specialized endorsements to provide such coverage. As a result, standalone cyber insurance policies are important aspects of a company’s overall cyber response strategy. Companies should work closely with their insurance brokers to evaluate and purchase the right policy or policies.
Actions To Take Should a Cyber Incident Occur
It is important to follow the requirements of the policy regarding incident response, especially events necessitating early and immediate notice to the insurer(s) and/or a cyber-security firm with which the insurer has contracted and/or government authorities, as applicable. Certain incident response actions may also require prior approval of the insurer.
Based on Barack Ferrazzano’s experience representing clients that have experienced cyber attacks, a company that suffers a cyber incident should consider the following:
- Timing — The policy may have multiple reporting requirements, including some immediately after an attack has occurred. Be sure to check and comply with notice requirements of your excess and umbrella policies too.
- Insurer consent — In addition to notice, the policy may require a company to use a pre-approved consultant or get the insurer’s consent before engaging forensic, security, public relations, and other professionals.
- Types of losses — The policy may provide coverage for first-party losses (those costs the entity incurs in responding to and remediating the attack, as well as the entity’s losses as a result of the interruption to its normal business), third-party claims (lawsuits and other claims and demands made against the company as a result of the incident), and privacy-related costs (breach notification, hotlines, credit monitoring).
- Preparation of the Proof of Loss — You will have to explain the details of the cyber attack and substantiate your losses. This can be an expensive undertaking, sometimes necessitating outside consultants. The earlier you gather documents to support your expenses and business losses (e.g., invoices, timesheets, financials) the better. It also may be useful to designate a point person to keep notes or a narrative regarding the incident response. As time passes, it can be difficult to recall or otherwise easily recreate the response and remediation steps that were taken.
- Limits and sublimits of the policy — Cyber policies often have sublimits that apply to certain types of losses.
- Potential coverage under other policies — Depending on the type and nature of the attack, you may have coverage under other policies. For example, some Kidnap & Ransom policies have broad coverage for extortion and/or specific coverage or endorsements for cyber extortion that may apply to a ransomware attack. And a crime policy may cover losses resulting from so-called social-engineering schemes.
After The Immediate Crisis
Once the immediate crisis is addressed, the hard work with the insurance company may just be beginning. You will have to substantiate out-of-pocket costs and the financial impact of the attack. This will require significant internal resources and, potentially, outside consultants. Again, the insurer will have specific requirements and deadlines regarding this process.
We Can Help You
Please call us if you would like to discuss any of these issues or if we can otherwise be of assistance.