Cybersecurity insurance coverage, pitfalls and issues — Part 1

In this latest installment of our Q&A video series focused on “What You Need to Know About Data Privacy and Cybersecurity,” McAfee & Taft attorney Anna Wolfe discusses why all businesses and organizations should consider cybersecurity insurance in addition to more general business insurance policies.


Q: Why should organizations, including small businesses and less-regulated industries, consider obtaining cybersecurity insurance?

Anna Wolfe: Cyberattacks are on the rise. Even though the attacks and breaches that make headlines involve the large companies — the Yahoos, the Experians, the Targets — we know that the statistics bear out that small midsize businesses in all industries are experiencing high levels of attacks. So just to give you some numbers, not to scare you, but to make you understand that the risk is real.

According to the Association of Corporate Counsel’s 2020 State of Cybersecurity Report, of the organizations surveyed, 40% reported that they had experienced a data breach in the preceding 12 months. At the time of reporting, said that they had over the entire lifetime of this risk had experienced an average of 24 data breaches. According to the Ponemon Institute’s 2019 Global State of Cybersecurity in Small and Medium-Sized Businesses, 66% of the organizations reported a data breach or cyber security attack in the preceding 12 months. Accenture found that 43% of cyberattacks are directed at small businesses.

Most troubling is that we know that small to medium-sized businesses cannot bear the ever increasing costs of responding to what has become the inevitable cyberattack or data breach. According to IT professionals and business decision makers that have been surveyed, in 2018, the cost of responding to a cyberattack was $120,000, but by 2019, that costs had risen to $200,000. Unfortunately, most cannot bear that cost. According to the National Cybersecurity Alliance, 60% of small businesses that experience or are the victim of a cyberattack will go out of business within six months.

Bottom line is that you’re going to have to, at some point in time, respond to a data breach. Take steps to shift that risk using known risk management products, such as cybersecurity insurance, so that somebody else is fronting and paying for those costs that you’re going to have to incur to ensure that your business can continue.

Q: Are cybersecurity risks covered by other more general insurance policies and endorsements?

A: I think that most companies hold multiple of the traditional type of business policies — commercial general liability, directors and officers insurance, property, professional liability, commercial crime. But what we know from litigation, from the regulators, from the industry responding to the ever-increasing risk of cyber-related crimes is that those traditional business insurance policies were not written and designed to bear the cost of a cyber-related loss. And litigation has shown that the more typical language that you find in those policies is going to be used to find that coverage was not triggered or coverage was specifically excluded, be it through a definition, a condition, an exclusion for cyber-related losses.

Now, note that in every instance of coverage determinations, that the language of the specific policy at issue is going to govern. We also know that the insurance industry has taken steps to specifically add cyber-related exclusions. So as of 2014, for example, CGL policies, commercial general liability policies, now have a cyber-specific exclusion to ensure that those policies are not going to be used to shift the risk of a cyber-related loss to the CGL insurer.

So bottom line is that if you want to be sure that you are covered, if you experience a data breach, or if you think you might have been the victim of a data breach or cyberattack and you need to investigate that incident. Best practice, the reason that you have insurance is so that you are sure that you are not responsible for that loss is that you obtain the appropriate type of policy, and that is a cybersecurity insurance policy — a standalone product — or an endorsement that is added to one of your existing insurance products.

Captioning/transcript provided by Rev.

This Attorney Q&A has been provided for information of clients and friends of McAfee & Taft A Professional Corporation. It does not provide legal advice, and it is not intended to create a lawyer-client relationship. Readers should not act upon the information in this Q&A without seeking professional counsel.