As businesses become increasingly reliant on technology to store sensitive information, the incidences of security breaches are becoming more prevalent. Each security breach increases the risk that a lawsuit or regulatory action could financially ruin a company and permanently damage its reputation. The situation is so bad, that some retailers and financial institutions targeted by litigation and regulatory actions are trying to hold their technology vendors accountable so they can transfer some of the fallout.
Many companies find themselves financial victims because they don’t buy insurance that addresses the many exposures related to security breaches. In some instances, a breach can trigger the need for a number of coverages, including crime, errors and omissions, employment practices liability, general liability, property and directors and officers liability. The so-called “cyber” policies address only one aspect of the exposure, the theft of information, money and identities through the Internet. That’s because these are major problems that are on the rise. According to Privacy Rights Clearinghouse, since February 2005, there have been more than 260 major security breaches involving nearly 100 million personal records. But if a company has only this basic coverage, they may not be prepared if disaster strikes. They should consider a more company-wide approach that includes insurance coverage for all possible exposures associated with a breach.
At the very least, your cyber policy should provide coverage in the following general risk areas:
· Defense Coverage – Some policies limit the insurer’s duty to defend to actual lawsuits. That means that the insurer isn’t required to defend the insured against a claim, which may or may not result in a lawsuit. Others extend the duty to defend to all claims. You should look for the provision to defend against all claims in a cyber policy. You also need to review the policy in terms of who has the right to choose the attorney who will defend the claim. Many insurers can provide a choice of counsel provision that allows the company to make that choice. Talk to your insurer about having this provision incorporated into your policy.
· Business-to-Business Coverage vs. Business-to-Consumer Coverage – If you want coverage for either or both of these risks, you have to make this known to your insurer. You need to be sure that the various exclusions and/or conditions necessary to minimize gaps in either coverage are present in your policy. These include electric/mechanical breakdown exclusion; breach of security exclusion; bodily injury/property damage exclusion; and employee malicious conduct exclusion.
· Intellectual Property Infringement Coverage – All cyber insurance policies provide some level of intellectual property infringement coverage. However, some policies offer less coverage than others. Some even exclude coverage for software copyright infringement. Review the policy before you purchase to understand how much protection you have in this area. Most insurers are willing to insure software copyright infringement risk for an additional premium.
Remember, cyber insurance is like health insurance, you should customize your coverage to suit your company’s needs. Your best defense is to talk with your insurance agent to develop a plan that is right for you.