A critical component of a good cybersecurity plan is an analysis of the insurance policies to make sure they cover the kinds of loss that leave your business most vulnerable. In our last post, we covered one of the most common cyber threats, the CEO Fraud or Business Email Compromise. Businesses that fall victim to the CEO Fraud suffer what is known as a first-party loss, which is not covered by many cyber insurance policies.
The majority of cyber insurance policies focus on third-party claims against a business. Third-party claims include circumstances in which a consumer or other party is harmed as a result of a policyholder’s cyber incident. However, the biggest cyber losses are typically caused by fraud and business interruptions — both first-party losses.
Given this, it is important to distinguish between coverage for first- vs third-party claims. Most often, if there is first-party coverage, it is limited to data breach notification expenses; the cost of complying with the legal obligation of notifying affected parties whose data was exposed. But there is often no – or minimal – coverage for the significant costs of investigating and fixing the breach, including the cost of recovering data or resuming any operations interrupted by the breach.
Businesses can be negatively impacted by the following first-party losses:
- Destruction of proprietary or otherwise irreplaceable or hard-to-replace data or information;
- Damage to hardware, network, and other software; and/or
- Expense of the data breach response.
In addition to the direct loss of business property, these losses are often compounded by the loss of revenue from not being able to conduct business. All of these losses, including business interruption, can be covered if the cyber policy is properly tailored to the specific business.
The first step to avoiding the surprise is a careful analysis of your business’ specific cyber risks and exposures. This then can be compared to your existing policy to identify gaps in coverage. Experienced insurance-coverage counsel can walk you through these steps, and work with your insurance broker to fill in any gaps.
In our next post we will talk about the impact of increasing privacy regulations on businesses’ cyber risk.
Ryan J. Cooper, Esq., CIPP/US
600 Linden Place
Cranford, NJ 07016