Insurance coverage for cyber attacks? | Arnall Golden Gregory LLP
With the many recent and high-profile ransomware attacks, many companies are probably assessing their own cybersecurity and their own risks. Seeing the crippling effect that a cyber attack can have on, say, the country’s largest infrastructure systems, one naturally thinks of the potential impact of a similar attack on one’s own business, which likely leads to questions about the insurance coverage available for such attacks. Almost all industries face serious risks. For example, a breach in hospitality and retail could expose customers’ credit card information, a breach in education and healthcare could expose protected personal information, and a ransomware attack. on a manufacturing plant could result in a complete shutdown until a ransom is paid. .
To prepare for these risks, companies are turning to cyber insurance. According to a recently released report by the United States Government and Accountability Office, the number of cyber insurance policies increased by around 60% between 2016 and 2019, from around 2.2 million policies to more than 3 , 6 million policies. With this increase in demand, premiums also increase. Although premiums remained relatively stable in 2017 and 2018, there was a noticeable increase in 2020, with brokers reporting that clients saw their premiums increase by 10-30%.
Although demand is increasing, the cyber insurance market is still relatively new, and the scope and price of coverage is constantly changing. Insurance companies don’t have good historical data to model risk, in part because coverage hasn’t been around for very long, but also because companies are often reluctant to share details of cyber attacks against them. Therefore, when new threats emerge, such as prolific ransomware attacks, insurance prices tend to rise sharply. In addition, cyber attacks are evolving and new types of attacks are constantly appearing. Under these circumstances, insurers try to manage the scope, limits and premiums of this type of coverage.
For this reason, policies are not standardized, especially policies with limits over $ 5 million. In fact, even when the coverage is in the insurance portfolio, it varies. Sometimes policyholders purchase express coverage through a stand-alone policy or as a separate coverage portion in a comprehensive policy along with other professional liability coverages. Sometimes coverage is through a cyber endorsement in another type of policy or may even be “silent” coverage based on default. exclude cyber cover in, for example, an “all risks” policy. Additionally, in some areas, such as medical devices, it is unclear whether a hacking incident would be covered by a product liability policy or whether a cyber policy would be required. According to the Fifth Circuit, coverage for a cyberattack could even exist even as part of the personal and advertising coverage of a commercial liability policy. See Landry’s, Inc. v. Ins. Pennsylvania State Company, 4 F.4e 366, 367 (5th Cir. 2021). What further complicates matters is that there are different types of endorsements. For example, a policy may cover breaches that occur in the insured’s infrastructure, but not breaches that occur in provider environments. Since most sophisticated businesses have complex infrastructure relying on third-party partners, having insurance covering both scenarios is critical.
Overall, however, businesses can usually purchase coverage to protect against both data theft and operational disruption, including through ransomware attacks. Policies can also provide coverage for a ransom payment, including assistance in arranging the cryptocurrency, although the policy often requires the prior approval of the insurer before making any ransom payment. It is important to note that there are legal limitations as to when ransom payments can be made, and these legal limitations would limit the ability to obtain coverage for such payments.
While cyber coverage is available, it is not necessarily standard, and the recent focus on cyber risks may warrant a review of your current insurance portfolio.