We’ve Been Hacked—Are We Covered Under Insurance?

When it comes to protecting data from a potential breach, we focus a lot on the human equation—employee negligence or carelessness, in particular. But in today’s threat-filled world, we can’t ignore another human factor: cyber criminals, whether they be individuals, organized crime rings, or state-sponsored.

Cyber Risk Management: How Do I Start?

Security firm FireEye reports that 27 percent of breaches in its latest study involved advanced malware. Cyber attacks are also prevalent in healthcare, according to the Fifth Annual Benchmark Study on Privacy & Security of Healthcare Data by Ponemon Institute.

“For the first time, criminal attacks constitute the number one root cause [of data breaches], versus user negligence/incompetence or system glitches,” Dr. Larry Ponemon, chairman and founder of Ponemon Institute, said in a Dark Reading article.

Does Insurance Cover Cyber Attacks?

Just as we will never eradicate employee mistakes, cyber attacks are here to stay. Many organizations have turned to insurance to protect themselves from the inevitable cost of these attacks. However, what companies may not realize is that cyber attacks are actually not covered by many traditional management and professional liability policies that they may already have.

To gain clarity on the complex topic of cyber insurance and to help businesses better protect themselves, we turned to Kimberly Homes, Esq., RPLU, who is vice president of product development at OneBeacon Insurance.

“Most management and professional liability policies typically cover ‘wrongful acts’ and may cover certain data breaches under this definition,” she said. “These wrongful acts could include employee negligence, unintentional mistakes, and/or the failure to safeguard data security policies and procedures.”

However, many management and professional liability products exclude from coverage external or malicious cyber attacks from an outside third party. Given this exclusion, Ms. Holmes said that companies should understand the difference between “wrongful acts” that may be covered under their management or professional liability policy versus external or malicious cyber attacks that may not be covered.

“Organizations should put the purchase of a dedicated cyber liability policy at the top of their corporate priorities list,” she added. “Without specific, dedicated coverage and policy limits to address the ever-increasing frequency and severity of cyber events, a company’s bottom line may become significantly vulnerable.“

The good news about a dedicated cyber liability policy, Ms. Holmes said, is that both internal data breaches—which often result in government regulatory scrutiny and potentially severe fines and penalties—as well as external cyber attacks or “hacks” are generally contemplated under most cyber policies in the market today.

“Given the growing frequency of cyber attacks in the health care sector, the likelihood of such events ‘squeezing’ into some form of coverage under a traditional management or professional liability policy may become more remote,” she said. “A best practice to securing coverage for cyber breach events, whether unintentional or a criminal cyber attack, is to purchase a comprehensive cyber policy tailored to an organization’s specific needs and risk tolerance.”

When shopping around for such a policy, Ms. Holmes suggested that it be evaluated not only from a legal or cost perspective, but also from an operational one. Consider:

• What types of cyber events are covered?
• What breach response services does it provide?
• Can I tailor the coverage to meet the specific needs for any given cyber breach event? For instance, would the policy also respond to the cost of health identity monitoring rather than just standard credit monitoring if PHI is breached?

Humans, whether simply careless or completely malicious, will always be the wild card when it comes to putting data at risk. Add technology, and you have a perfect storm. The right cyber liability coverage is absolutely critical to protecting your organization and your customers.

Cyber Risk Management: How Do I Start?