After companies began electronically storing sensitive business and customer information, the insurance industry focused heavily on privacy protection. Businesses began implementing breach defenses and response protocols in an effort to avoid or mitigate the effects of having personal health information, financial information, trade secrets, or intellectual property stolen or used without authorization. In many cases, hackers held the information hostage and demanded payment of a ransom (“ransomware attacks”) in order to release the information and not expose it to the public. Breaches in privacy protection cause other expenses related to notification, data recovery, public relations management, reputation damages, and others. Thus, cyber insurance became a popular line of coverage offered by insurance companies. Now, with cyber-attacks getting increased media attention, the insurance industry has broadened coverage for cyber security and cyber liability into more areas than just privacy protection.
Businesses are learning that cyber breaches do not just affect privacy protection; they can also interrupt business and cause property damage. The most common course of action when a breach is noticed is to stop operations. When systems shutdown, so does the flow of goods and services. When the flow of goods and services stops, money stops coming in. With regard to property damage, many, if not most, businesses now rely on some form of computer-controlled regulation in their buildings. For example, it is common to have a building’s heating and air conditioning set on an electronically-stored schedule. If, however, the heat does not turn on when it’s supposed to, water lines can freeze. If there is water in the pipes, that too freezes and, when the ice expands, it can cause the pipes to break, releasing water into the building. As another example, consider factories that rely on computer-controlled cooling fans. If they are stopped, machines overheat and start fires. These kinds of losses are notable particularly because they do not require activity on the part of a sophisticated hacker. Rather, human error and technical glitches can cause these losses.
Hence, new lines of insurance coverage are popping up in the marketplace. Cyber coverage for business interruption and property damage are starting to be offered as umbrella coverage over property, kidnap, and ransom policies. Stand-alone cyber policies are also being offered. However, the market is young and maturing. Policyholders need to review and re-review their policies to ensure proper wording for issues such as cyber extortion, business interruption, contingent business interruption, and cyber property-related coverage. To keep premiums low in a time when cyber breaches regularly make front-page news (Equifax, Home Depot, etc.), businesses should be ready to demonstrate breach-readiness, such as the establishment of incident response teams, as well as internal and external cyber security controls.