It seems that rarely a week goes by without news of another massive cyberattack, data breach or computer hack making the front page or headlining online news sites. The number of data breaches and cyberattacks that companies and other entities have faced has been so large and expensive that Garry Byers, reporting in Digital Forensic Investigator News, described 2011 as "the year of the cyberattack."
A recent PwC report, Cybercrime: Protecting Against the Growing Threat, characterized "cybercrime ... as one of the top four economic crimes." As cyberattack increase in frequency, companies are turning to insurance to cover liabilities and losses. Insurance coverage options are increasingly available under a wide variety of existing policies and new products are being offered to provide sources for protecting valuable corporate assets.
Understanding which insurance coverage might apply after a cyberattack is critical, particularly in light of the recent guidance from the Division of Corporation Finance of the U.S. Securities and Exchange Commission (SEC:), which suggests disclosing what insurance reporting entities have for cyberrisks. The cyberrisks covered by the guidance include two of the most well-known and potentially expensive risks: cyberattacks (including denial-of-service attacks) and data breaches.
What Type of Insurance Coverage Might Apply?
After a cyberattack, putting all potential insurance companies and insurance policies on notice is key. To do that, companies need to understand which policies might provide coverage. When thinking about the answer to that question, reject conventional wisdom, which often includes comments such as, "Only cyberpolicies cover cyberrisks."
Cyberrisks can be expensive, sometimes much more than originally thought, and having the most coverage on notice for all potential costs may be critical.
Start with "Cyberinsurance" Policies. As soon as possible after learning about a cyberattack, assess the company's cyberinsurance policy and put the insurance company on notice. But before a cyberattack, a company should completely understand the coverage that the cyberinsurance policy is supposed to offer.
Called the "Wild West" of the insurance marketplace, coverage under cyberinsurance policies may vary wildly from one insurance company to another and an organization may not have purchased all potential coverage modules offered in the policy.
Look beyond the title of the policy...