The views expressed herein are the views and opinions of the authors and do not reflect or represent the views of Charles River Associates or any of the organizations with which the authors are affiliated.
The economic consequences of a cyber breach can be severe. While cyber insurance can be an important tool for recovering some of the losses, other insurance policies may be critically important resources in obtaining more fulsome coverage on a consolidated basis.
According to Kristofer Swanson, Vice President and Forensic Services practice leader at Charles River Associates, “The global economic impact of cybercrime last year was $450 billion, but insurers wrote only $2.5 billion in premiums for ‘cyber insurance’ per se – resulting in significant residual exposure for both companies and individuals.”
So what do cyber policies cover? “Coverage varies and depends on the policy but coverage may include investigation/incident response costs, legal fees, credit monitoring, public relations costs, notification costs, regulatory defense and penalties, cyber extortion, digital asset replacement expenses, and business interruption. These losses can be costly, but mitigating the losses is really a question of the type, amount and limitations of coverage,” stated Scott Solomon, Vice President, Charles River Associates. “The economic impact of a breach can be vastly more extensive, and so a critical assessment of a company’s other insurance policies is essential to avoid missing out on additional opportunities for recovery.”
Some types of policies have been reconsidered with a more current interpretation. “For example, business interruption insurance may cover the loss of income following a disruption from ransomware,” said Swanson, “while some companies have successfully sought coverage under ‘kidnap and ransom’ policies in situations in which their networks were constructively kidnapped by ransomware.”
The board faces exposure as well to the cyber menace. “Fortunately, directors’ and officers’ policies may provide important coverage to board members if they are named as defendants in cyber-related derivatives actions,” added Solomon.
Numerous other policies may be relevant – such as property insurance, which may cover physical damage caused by malware; fidelity insurance, which may cover situations of employee-caused theft or sabotage; and contingent business interruption insurance, which may cover a company’s losses in situations when a cloud provider sustains an interruption to service levels.
In summary, while cyber insurance policies may appropriately help mitigate certain related cyber risks, it is essential to monitor and periodically assess all current policies – as well as evolving case law and coverage determinations – to most accurately assess the adequacy of current overall coverage.