The escalating costs and frequency of cyber attacks, exacerbating by climbing regulatory requirements, particularly for public companies, has led to the all-time high price tag of $4.45m globally and $9.48m in the US per data breach, according to data from IBM’s yearly report. As a response to these escalating threats, many corporations are relying on robust cyber insurance policies as their first guard against the potential fallout of a cyberattack.
Cyber insurance policies typically provide both “first-party” and “third-party” coverage. The former reimburses a policyholder for costs incurred and losses suffered as a result of a cyberattack. This often includes costs associated with legal and forensic IT resources, business interruption costs, cyber extortion expenses, and digital asset restoration costs, among others.
For privacy breaches, these first-party policies will also often cover the cost of legal counsel, notifications to impacted individuals and possible identity theft or credit monitoring services.
On the other hand, third-party coverage aids in deflecting claims against the company, directors, or officers including but not limited to, third-party lawsuits or regulatory actions, and investigations. Examples of coverages include defense costs, settlements, regulatory investigations, and formal actions; and, in some cases, costs associated with media or intellectual property wrongful acts involving the internet.
Companies are advised to audit their insurance programs comprehensively to ascertain complimentary coverage for cyber risks with traditional insurance policies, particularly as many directors and officers policies lack broad cyber exclusions and may still provide protection against lawsuits originating from a cyberattack.
When reviewing their cyber insurance plans, companies should consider pre-approving key vendors to facilitate faster response times in the event of a cyber incident, supporting complementary incident response strategies, and ensuring cyber exclusions are not overly broad and detrimental to coverage.
A collaborative approach is recommended, whereby executive officers, risk professionals, in-house legal counsel, and in-house IT departments work together prior to a cyberattack, to ensure preparedness and adequate coverage against their unique cyber risks.
Read the full article from Andrea DeField, partner and co-lead of the cyber-insurance practice at Hunton Andrews Kurth on Bloomberg Law.