With the many recent, high-profile ransomware attacks, many companies are likely assessing their own cybersecurity and risks. Seeing the crippling effect a cyberattack can have on, for example, the nation’s largest infrastructure systems naturally brings to mind the potential impact of a similar attack on one’s own company, which likely leads to questions about available insurance coverage for such attacks. Nearly every industry faces serious risks. For example, a breach in hospitality and retail businesses could expose customers’ credit card information, a breach in education and healthcare risks exposing personal protected information, and a ransomware attack on a manufacturing plant could result in a complete shut down until a ransom is paid.
To prepare for these risks, companies are turning to cyber insurance. According to a report recently issued by the U.S. Government and Accountability Office, the number of cyber insurance policies increased by about 60% from 2016-2019, from about 2.2 million policies to more than 3.6 million policies. With this increase in demand, premiums are also increasing. Although premiums remained relatively steady in 2017 and 2018, there was a notable increase in 2020, with brokers reporting clients seeing a 10-30% increase in premiums.
Although the demand is increasing, the cyber insurance market is still relatively new, and the scope and price of coverage are in flux. Insurance companies do not have the benefit of good historical data to model risk, in part because the coverage has not been around very long, but also because companies are often reluctant to share details of cyberattacks against them. As a result, when new threats emerge, such as prolific ransomware attacks, insurance pricing tends to steeply increase. Further, cyberattacks are evolving, with new types of attacks constantly arising. Under these circumstances, insurers are trying to manage the scope, limits, and premiums for this type of coverage.
Because of this, policies are not standardized, especially policies with limits over $5 million. In fact, even where the coverage is within the insurance portfolio varies. Sometimes, policyholders purchase express coverage through a standalone policy or a distinct coverage part in a package policy with other professional liability coverages. Sometimes, the coverage is through a cyber-endorsement in another type of policy or can even be a “silent” coverage based on the failure to exclude cyber coverage in, for example, an “all risks” policy. Additionally, in some fields, such as medical devices, it is unclear whether a hacking incident would be covered under a products liability policy, or whether a cyber policy would be required. According to the Fifth Circuit, coverage for a cyberattack could even exist even under the personal and advertising coverage in a commercial general liability policy. See Landry’s, Inc. v. Ins. Co. of the State of Pennsylvania, 4 F.4th 366, 367 (5th Cir. 2021). Further complicating matters is that there are different types of endorsements. For example, a policy may cover breaches that happen within the insured’s infrastructure, but not cover breaches that occur in vendor environments. Since most sophisticated companies have a complex infrastructure reliant on third-party partners, having insurance that covers both scenarios is paramount.
Overall, though, companies can generally purchase coverage to protect against both data theft and operational disruptions, including through ransomware attacks. Policies may also provide coverage for a ransom payment, including assistance with arranging the cryptocurrency, though the policy will often require pre-approval from the insurer before making any ransom payment. Importantly, there are legal limitations on when ransom payments can be made, and those legal limitations would limit the ability to obtain coverage for such payments.
Although cyber coverage is available, it is not necessarily standard, and the recent focus on cyber risks could warrant a review of your current insurance portfolio.