The Evolution of Cyber Liability Exposure and Coverage

On July 25, Insurance Journal’s Academy of Insurance hosted a webinar by Joe Harrington, entitled The Evolution of Cyber Liability.

Joe started the session in the early days of cyber liability when it was a fringe third-party liability coverage, sold only to those who understood the issues around cybersecurity. What started as a fringe coverage is now a coverage that every business with any kind of network needs that includes both first-party coverages for the insured’s property and third-party liability for the data of others.

Having begun as a primarily surplus product, cyber liability has wide variety in how policy forms read. Many coverages are becoming standardized, such as public relations expenses, cost to notify potentially affected individuals, and services for affected individuals. But there is wide variety in the exclusions, including exclusion that customers should be aware of like loss to a system not owned or operated by the insured and fees, fines, and penalties.

Understandably, businesses that provide healthcare services appear to be the most likely to buy cyber liability coverage today. These businesses maintain personally identifiable information and sensitive health information that could be at risk of compromise.

Following healthcare services, manufacturers are second most likely to purchase cyber liability coverage. Coming in close behind them are small businesses that have some kind of third-party requirement to carry the coverage. Often, small businesses enter into contracts with their customers and those contracts are starting to have insurance requirements for cyber liability to protect the third-party’s data.

Cyber liability is still unusual because it is a coverage that doesn’t always require an actual loss for there to be potential payments. In the event of a potential breach or compromise of data, the cyber liability policy may be called on for payments under coverages like public relations services, notification to affected individuals, and forensic investigation. The trigger is not always that there was an actual loss, breach, or compromise. It could be a suspected loss, breach, or compromise.

If you missed it, the entire webinar is available through Insurance Journal’s Academy of Insurance.