Since 1997, when we wrote one of the first cyber insurance policies in the industry, we have consistently been here to help our partners place this coverage
The roots of cyber coverage go back about 20 years. Back then, only technology companies bought errors and omissions (E&O) insurance, which over time, was extended to include things like unauthorized access, destruction of data, or a virus. (Remember the Love Bug Virus that swept the globe in 2000?). These policies were named perils, not “all risk”.
The companies that bought this early “cyber” insurance were generally in the technology space and already buying E&O insurance. The technology coverage, often called “network security” or “Internet liability” was an add-on.
Over 10 years ago, we saw these “network security” policies expand into the privacy space by providing clear coverage for breaches of confidential information. That got the attention of retailers and other entities holding considerable amount of consumer data, but who were not providing the type of technology services that would warrant buying E&O insurance.
The “non-tech” companies realized the exposure and wanted stand alone cyber products that covered network security and privacy liability. That evolution has been important to where we are now.
Now more than ever companies of all sizes require “cyber” insurance. Technology has transformed the business world and with it the corporate risk landscape. Each new advancement from more powerful computers to mobile devices, corporate networks and the public internet has brought new exposures.
Policies are divided into first party coverage and third party coverage. Although each insurance company’s policy wording is unique. The basic skeleton is:
Errors and Omissions: E&O covers claims arising from errors in the performance of your services. This can include technology services, like software and consulting, or more traditional professional services like lawyers, doctors, architects and engineers.
Media Liability: These are advertising injury claims such as infringement of intellectual property, copyright/trademark infringement and libel and slander. Due to the Internet presence of businesses today, technology companies have seen this coverage migrate from their general liability policy to being bundled into a media component in a cyber policy (or a separate media liability policy). Coverage here can extend to offline content as well.
Network Security: A failure of network security can lead to many different exposures, including a consumer data breach, destruction of data, virus transmission and cyber extortion. The culprits might be looking to shut your network down so you can not conduct business, either for financial or political gain. Network security coverage can also apply if holding trade secrets or patent applications for a client, and that information is accessed due to a failure of your security.
Privacy: Privacy does not have to involve a network security failure. It can be a breach of physical records, such as files tossed in a dumpster, or human errors such as a lost laptop, or sending a file full of customer information to the wrong email address. Companies have also faced liability from returning a photocopier with a hard drive that contained unwiped customer tax records. A privacy breach can also include an action like wrongful collection of information.
All insurers use different terminology for cyber coverage; some subdivide the four components above even further, which means that cyber policies can be very difficult to read and compare.
Network Security and Privacy Liability Coverage
What’s unique about the privacy and network security coverages is that both first-party costs and third-party liabilities are covered: First-party coverage applies to direct costs for responding to a privacy breach or security failure, and third-party coverage applies when people sue or make claims against you, or regulators demand information from you.
In addition to the advances in data storage, increasingly stringent laws and regulations enacted over the past decade at both state and federal levels have heightened the standards for the duty of care companies must take to protect personal information, including formal notification to individuals should their data be compromised.
Privacy exposure exists for every company that deals in personal information, including law firms, accounting firms, healthcare, retail, real estate, service industry, educational, and financial institutions.
“Please see polic(ies) and endorsement(s) for exact terms, conditions and exclusions. Each insurance company has its own policy language. We encourage you to seek legal advice prior to securing any insurance."
- Eyes Wide Open: Eight things everyone should know about cyber insurance policies
by Peter Taffae, Advisen Cyber Liability Journal
- Privacy Fears Drive Cyber-Cover Boom
by Steve Tuckey, National Underwriter
- Advertising & Marketing on the Internet: Rules of the Road
Provided as a Public Service by the Federal Trade Commission
- Commission Enforcement Actions Involving the Internet & Online Services
by Paul H. Luehr, Federal Trade Commission
- Cyberinsurers/Producers: Opportunists or Saviors?
by Peter R. Taffae, National Underwriter
- Internet Revolution: World Wide War
by Peter R. Taffae, CPCU Society
- Law & the Internet: Location, Location, Location
by Peter R. Taffae, Risk & Insurance
- Superhighway or Cobble Street?
by Peter R. Taffae, The Betterley Report
- What Have Doctors, Drugstores, Realtors, Lawyers...Forgotten About the Internet but Plaintiff's Attorneys Remembered?
by Peter R. Taffae, PLUS Journal