Understanding Coverage Options for Cyber Threats

By Lorelie S. Masters, Syed S. Ahmad and Patrick M. McDermott

As the news about cyber breaches continues to show, businesses cannot rely on prevention strategies alone to protect themselves from cyber incidents. Nor are banks immune. For example, in 2016, the bank subsidiary of a major British retailer reported a hack that resulted in a $3 million loss. All companies must consider how they will respond once their systems are breached.

As recognized in a recent Federal Financial Institutions Examination Council statement, cyber insurance is one aspect of that response to contemplate. According to one study, the average cost per stolen record in the financial services industry was $336. The FFIEC statement points out that risks include “financial, operational, legal, compliance, strategic, and reputational risks resulting from fraud, data loss, or disruption of service.”

While non-cyber insurance policies like general liability, directors and officers and errors and omissions policies may provide coverage, those policies increasingly include provisions that attempt to specifically exclude coverage for liabilities arising out of cyber incidents. Thus, cyber insurance is a potentially critical component of a cyber breach response plan.

Cyber insurance policies can cover a wide range of losses and expenses associated with cyber incidents. For example, coverage may include the cost of forensic analysis to determine extent of damage, crisis response costs such as public relations efforts and legal advice, business losses such as lost income and lost digital assets, ransom payments made to unlock files encrypted by hackers, physical damage to hardware and repair costs. Cyber insurance policies may also cover expenses related to incidents that compromise personally identifiable information of customers, which can include costs related to notifying affected third parties, providing credit and identity monitoring, providing call centers for customer service and updates, providing identity restoration services, and replacing credit cards or other products. These costs may also include those associated with any lawsuits filed against the company related to the cyber breach.

Because cyber coverages are not uniform and cyber risks continue to develop, companies should carefully consider their options when obtaining cyber insurance. For example, financial institutions are a primary target of social engineering attacks, which are on the rise. One insurer reported a nine-fold increase in social engineering attacks in 2017 as compared to 2016. Those attacks often involve a fraudster posing as another person in order to induce a fraudulent payment and can be very sophisticated. Coverage for losses related to social engineering schemes can turn on just one word in an insurance policy, and even then can be subject to special limits that are inadequate to cover the potentially large losses.

As another example, the financial services industry’s increasing use of distributed ledger technologies such as blockchain may pose potentially unique issues for insurance coverage. For instance, a cyber insurance policy may cover losses relating to a breach of computer systems, which specifically includes cloud computing and other hosted resources operated by a third-party service provider. It is not clear whether the insurer would consider blockchain technology to fall within this definition given that blockchains are peer-to-peer networks that are not necessarily operated by a third party.
Credit card company assessments and penalties, including those related to the PCI Data Security Standards, are another area for banks to carefully consider when obtaining cyber insurance. While standard cyber coverages may exclude coverage for contractual payments and for fines and penalties, that coverage may be available if requested.

Cyber insurance policies should also be reviewed to ensure that they will respond appropriately in light of new regulatory requirements seeking to protect against systemic risk and disclosure of individuals’ personal data. For example, the New York State Department of Financial Services has implemented a new regulatory scheme that imposes new requirements on banks, financial institutions and companies that sell insurance and insurance services if they operate in New York. One requirement is that covered entities must implement an overall cybersecurity program and notify NYDFS of any “cybersecurity event.” Companies operating in the European Union should carefully consider their options in this respect, given the large fines they may face under the General Data Protection Regulation, which takes effect on May 25, 2018.

The never-ending revelations of cyber breaches mean that the question for most banks is not if but when. Response plans are critical components of an overall cyber strategy, and cyber insurance is one important aspect of a response plan. When obtaining cyber insurance, banks should carefully consider the varying coverages and risks. As the FFIEC statement highlighted, engaging “outside advisors, such as attorneys and brokers” when purchasing cyber insurance can assist companies through that process.

Lorelie S. Masters and Syed S. Ahmad are partners, and Patrick M. McDermott is an associate, at Hunton Andrews Kurth LLP.