Businesses have been dependent on computerized information for some time now, but it has been only relatively recently that insurance companies have devised and offered insurance policies specifically tailored to the potential losses from a variety of problems that can affect a computer system.
An early impetus for cyber insurance was anticipation in the late 1990s of losses associated with the coming of “Y2K.” That concern turned out to be overblown, but the threats that have spurred cyber insurance offerings since then are real enough, including viruses, hackers, and legal injuries to others from information on a company’s website. One study has found that the average annual technology-related financial loss for United States companies more than doubled just from 2006 to 2007.
Another development that prompted more cyber insurance policies was the realization, which sometimes came as a surprise to insured businesses, that general liability policies did not cover computer problems. Cyber insurance is a good idea for all of the usual reasons associated with insuring against business losses. But it also makes sense because of the particular costs associated with responding to a computer data breach, especially now that many states have adopted data breach notification laws.
This kind of postmortem after a breach could include such measures as notifying affected customers, paying for credit monitoring for those customers, replacing compromised credit or debit cards, and undertaking forensic analyses of affected databases. All in all, there are some expensive scenarios to insure against.
Categories of Losses
The losses covered by cyber insurance generally fall into two categories: first-party losses, meaning those affecting the business itself; and third-party losses, meaning incidents mainly affecting outside parties, including the customers of a business. Of course, the same underlying problem can cause both kinds of losses, such as when unauthorized access to a computer system shuts down the computer system of a company whose customers or clients rely on that system through an extranet.
A comprehensive cyber insurance policy should encompass both kinds of risks. These are the typical categories of coverage:
• First-party business interruption, covering lost revenue experienced during downtime due to accidents or security breaches (but typically not losses due to catastrophic regional power outages);
• First-party electronic data damage, such as the compromise of data from a virus infection;
• First-party extortion, including the demands made by hackers;
• Third-party network security liability, arising from compromise and misuse of data stemming from identity theft and credit-card fraud;
• Third-party network liability in the form of court judgments obtained by persons harmed by problems originating with a business’s computer system; and
• Third-party media liability, aimed at the full range of potential liability from matter published in interactive online communications.