Stories about data breaches seem to pop up daily. From Macy’s department store to the Marriott hotel chain, “secure” systems across the country have been infiltrated by criminals. Cybersecurity incidents like these may have you thinking about information security best practices to put into place at your firm. Or, perhaps you’ve already taken steps to help protect your clients’ information, which may include cyber liability insurance.
But in the event of a data breach, what does cyber liability insurance cover? On the surface, this may seem like a simple question. Unfortunately, it doesn’t have a simple answer.
Data Breaches Are a Multipolicy Issue
A data breach is often a multipolicy issue, and so evaluating what’s covered (and what’s not) can be complex. A good place to start is with the difference between the two most common policies involved in these scenarios: cyber liability insurance and the fidelity bond.
Cyber liability insurance. After a cybersecurity event, cyber liability insurance will cover the cost of resulting damages. Typically, this coverage includes data forensic expenses, business interruption coverage, extortion, notification costs, public relations, and legal services. Most important for you to know? It is restricted to covering data.
Fidelity bond. Also known as “crime insurance,” the fidelity bond insures against dishonest acts (e.g., forgery or theft). Some policies extend to assets stolen in transit or by third parties. Unlike cyber liability insurance, the fidelity bond does not cover data; instead, it is restricted to covering assets.
Of course, some policies are more granular than others. But now that you understand the basic differences between cyber liability insurance and the fidelity bond, let’s dive a bit deeper into how to answer the questions your clients may have about your insurance coverage.
Answering Your Clients’ Coverage Questions
The nuances between these policy types are important, as they can make all the difference when fielding your clients’ coverage questions. To illustrate this point, let’s use a case based around an increasingly common question you may hear from clients: “How will I be covered if my assets are stolen in a breach at your firm?” Here, the focus is on assets. But a breach typically involves not only a theft of assets but also a theft of data, which can be even more malicious.
Coverage of assets. The complete answer to the question should include a discussion of the fidelity bond, which covers the theft of assets. As such, if a breach includes the fraudulent transfer of assets, you can assure your client that the fidelity bond will cover any assets that are taken.
Coverage of data. Before we talk about what data is covered, it’s important to touch on the danger in stolen data, specifically access to client assets through a variety of means. Sure, if credit card information is stolen, it can lead to fraudulent charges on those cards. But if client names, social security numbers, email addresses, and phone numbers are compromised? Fraudulent charges can be made to a multitude of accounts because those clients can now be impersonated. Accounts can even be hijacked and sold using data from other breaches. For example, when the new streaming service Disney+ launched in November 2019, malicious parties used data from data breaches at other companies to take over Disney+ user accounts and then sell them on the dark web.
Fortunately, cyber liability insurance will likely play a role in these types of claims. Because a breach is referenced in the scenario in question, it’s safe to assume that personally identifiable information was likely stolen. So, what does cyber liability insurance cover here? In this case, there are certain things that most (but not all) cyber liability insurance policies will do:
Help you determine how much data was taken through the policy’s data forensic expense coverage
Recover lost income through business interruption coverage
Pay ransom costs through extortion coverage (i.e., in the event of a)
Pay costs for call centers and notices, legal services (i.e., breach counseling), and even public relations cost to restore a damaged reputation
Provide identity monitoring programs to affected individuals
Before explaining to clients how they (and you) are covered, you must first confirm the extent of your policy. For this example, let’s assume your policy encompasses the various areas listed above. In that case, your cyber liability insurance will not only help the client protect his or her identity after the breach, but it will also help you prevent future breaches from occurring through data forensics and breach counseling.
Are You Covered?
These days, client concerns have evolved from whether they will be part of a breach to how they will be protected when that inevitable breach occurs. In turn, these worries have led to questions about what’s covered should their information be exposed if your firm becomes victim to a breach.
Of course, client concerns over their protections are valid. Sometimes, however, they may focus on assets when the problem may also concern data. Knowing the basics of cyber liability insurance—including the extent of your coverage—will help you direct those conversations to make them more meaningful and help your clients feel secure in the steps you’ve taken to help protect them.
This material is for educational purposes only and is not intended to provide specific advice.