In today’s warp speed, online world, data breaches are making headlines on a daily basis.  Unfortunately, most people still do not understand the basics of a cyber liability insurance policy or know how to protect their institution from the ever-present cyber threats.  The potential costs associated with a data breach can be significant.

It is important to understand not all cyber policies are the same.  Just because you purchased a cyber-liability policy, doesn’t mean you will have the coverage needed when a breach occurs.  There is no “standard” contract form for Cyber Insurance.  There are subtle differences in the contract language of every section of a Cyber Insurance policy. If the wording of a contract is not reviewed carefully, it may leave you uninsured for a loss you thought you were protected against.

A good Cyber Insurance policy will have these coverage sections:

  • Privacy Injury Liability & Identity Theft – both basic and broad form privacy
  • Removable Media Coverage
  • Regulatory Defense (or Privacy Regulation Proceeding Coverage)
  • Public Relations & Privacy Breach Notification Expense – both basic and broad form
  • Content Injury Liability – both basic and broad media
  • Network Security Liability

However, even if your policy contains each of these sections, there is the possibility that the wording has limitations that leave your institution with no coverage.  It is essential, not only that you purchase a Cyber policy but that the policy has the wording you need. You want to make certain that all coverage sections and all exclusions are worded in such a way as to provide the maximum protection for the exposures you have.

A Closer Look

In the first coverage section, Privacy Injury Liability & Identity Theft:

A good coverage form will have the following coverage wording and will not have coverage limitations:

  • It will cover privacy injury resulting from unauthorized use or disclosure of all private information in insured’s care.
  • Is not limited to e-commerce, web site or other specified activities.
  • Is not limited to network information
  • Is not limited to electronic records only, but includes paper records

A less robust carrier form may have any of the following:

  • A limitation on the activities or information to be covered, i.e. limited to “e-commerce activities”, “your web-site activities”, “your internet banking activities”, or “your professional services”.
  • An exclusion for unencrypted mobile devices (i.e. – cell phones, laptops, etc.)

What It’s All About

The inclusion of any of this limiting language should be a “red flag” that the form is not adequate.  Be aware the wording in any section of your policy may not be adequate to appropriately protect your organization.

Don’t allow your institution to fall victim to cyber threats. Educate yourself fully on this relevant and complex topic; speak with your insurance broker today to identify the solutions necessary to protect your institution.

Specific questions? Email Adam.

The information provided herein presents general information and should not be relied on as insurance advice when analyzing and resolving a specific issue. If you have specific questions regarding a particular fact situation, please consult with competent insurance brokers and/or legal counsel about the facts and laws that apply.