Though some businesses have successfully made claims for data breach incidents on traditional insurance policies, relying on traditional policies for coverage has become increasingly uncertain. With data breach risk showing no sign of abating, businesses and their counsel should consider the need for cyber insurance that covers the costs of investigating and responding to a data breach.

Scope of Coverage

There are typically three types of insurable expenses associated with data breach incidents:

• Response and investigation costs, including data restoration.
• Litigation defense and damages.
• Regulatory defense and penalties.

Cyber policies are often manuscripted, meaning that specific provisions tailored to the insured’s unique risks often result from negotiations between the insured and the insurer. However, typical cyber policies on the market today include coverage for:

• The insured’s costs for responding to a data breach.
• Damages and litigation expenses arising from actions against the insured following a data breach.

The structure of cyber policies varies widely, which can make comparing policies difficult. Cyber policies often contain multiple insuring agreements, all with separate sub-limits and retentions. Coverage differences across policies can be substantial and may include not only variations as to the standard items covered, but also variations in:

• The scope of territory covered.
• Aggregate policy limits and sub-limits.
• Self-insured retentions.
• Coverage periods.

Selecting coverage entails comparing the business’s risk profile and gaps in coverage under its existing policies with the available coverage options, including manuscripted options. In addition to the terms of coverage, counsel should consider:

• Retroactive coverage for prior unknown breaches.
• The control the insurer retains over decision-making in responding to an incident.
• Whether the insurer requires using panel counsel or vendors if an incident occurs, and if so, the strength and depth of the panels.
• Retentions, limits and sub-limits.
• The cost of premiums.

Applying for Coverage

When applying for coverage, businesses may need to provide information regarding prior data security incidents and specific information regarding data security practices, for example:

• The composition of the security team.
• The percentage of total IT budget allocated to security.
• Technical, administrative and physical safeguards the business has implemented.
• Issues related to third-party controls.
• The backup of data.

In addition, many insurers require applicants to attach relevant company policies to the application.

Before writing coverage, insurers may expect applicants to reduce or limit their breach risk through a variety of means, including:

• Implementing encryption.
• Engaging in security audits.
• Deploying specific technical, administrative or other security enhancements.

Some insurers may not require these measures as conditions of coverage, but they may offer reduced rates to applicants who implement them.