Cyber Insurance: Beware of the Fine Print
By Seth Berman, Partner, Nutter and Ashley Paquin, Associate, Nutter
Meanwhile, the cost of breaches continues to soar. Cybersecurity Ventures predicts cybercrime damages will cost $6 trillion annually by 2021. The insurance market is both intrigued by and wary of this risk. On one hand, insurers see cyber insurance as a growth market and have started offering many different types of cyber insurance coverage. On the other hand, insurers are worried that losses could quickly multiply and therefore have been taking steps to limit their exposure to cyber risks. For example, cyber risks have been excluded from most general insurance policies. Companies must now purchase either standalone cyber insurance or a cyber insurance rider to their general liability policies.
Coverage under these cyber insurance policies are not standardized, meaning different policies cover or exclude different kinds of events. Because the track record of cyber insurance policies is quite short, many issues of interpretation have not yet been definitively settled. As a consequence, breaches often result in disputes between the insured and their insurer regarding whether an incident is covered by a particular policy.
This problem is made harder to address in advance by the fact that hackers are continually evolving new ways to penetrate networks and monetize the information they find, which means that many types of attacks had been unknown at the time the policy that might cover them was drafted.
The perils of insurance policies are perfectly illustrated by a recent lawsuit. The National Bank of Blacksburg in Virginia recently filed a lawsuit against its insurer relating to two data cyber security incidents that happened in 2016 and 2017. The two data breaches (apparently by the same set of hackers) allowed the hackers to access the bank’s systems and remove critical security measures from customer accounts. The 2017 data breach also allowed the hackers to change customer balances. Once these accounts were altered, the hackers withdrew money in customer accounts from ATM machines. The fraudulent ATM transactions could not have occurred without the hacking, as the hackers disabled the daily withdrawal limits and obscured the evidence of the fraud, controls that otherwise would have significantly limited the amount of money that could be stolen.
Buying cyber insurance is not nearly as simple as buying other types of corporate insurance policies
Regardless of how the National Bank of Blacksburg case turns out, all consumers of cyber insurance should learn an important lesson: carefully verify whether cyber insurance covers the types of risks that your company may face and ensure that any limits on recovery are consistent with possible damages. Although some insurance coverage is better than none, insurance is very much defined by the fine print.