How a Cyber Attack Triggers Multiple Parts of a Cyber Security Insurance Policy
October 3, 2022
Cyber liability insurance coverage is not a one-size-fits-all blanket policy that can be applied to all types of businesses. Every organization has choices as to what types of cyber liability coverage it needs to protect itself from a malicious attack such as ransomware or malware—and knowing the ripple effects the attack can have on everything from sensitive customer data to business continuity is important in determining how to make that choice.
Before you cut back on coverage under your cyber liability insurance policy to save premium dollars, make sure you understand the inter-connectivity between the different coverage elements and how they apply to a modern cyber attack.
Below, you’ll find an example scenario demonstrating what parts of cyber insurance coverage are likely to be triggered by a hypothetical cyber security event.
The scenario: a payment processor has experienced a ransomware attack that has completely disabled its network, preventing it from facilitating payments for its users. Furthermore, sensitive financial data of users who have saved their payment information with the company may be at risk of being compromised—although the full extent is not yet known. The attackers have demanded a large ransom to restore the critical data needed to resume the network’s functionality but have made no mention of the status of any sensitive customer data.
The following outlines what specific portions of a cyber security insurance policy would be triggered by this event and how the policy may respond after the event has passed.
Network security coverage should be considered an essential component of a cyber security insurance policy for most organizations, especially one subject to financial information and data privacy. In this hypothetical scenario, a network security failure has resulted in a ransomware attack that has disabled the company’s network.
Network security covers first-party costs (i.e., expenses incurred directly from a cyber incident.) This coverage typically entails elements such as:
- Legal expenses
- IT forensics
- Negotiation and payment of a ransomware demand
- Data restoration
- Breach notification to consumers
- Public relations advisement
These elements come into play following a breach and cover several areas of response. Once the cyber insurance carrier has acknowledged the breach, a coordinated response is initiated that involves receiving advisement from breach counsel in conjunction with findings from IT forensics specialists.
In most cases, breach counsel retains its own third-party IT forensics consultant to undertake an independent investigation that includes analyzing the cause, origin, and scope of the incident, along with any recommendations for network/system remediation. A cyber extortion case manager may also be tapped to negotiate the ransom demand and payment method on behalf of the company.
In the meantime, breach counsel and IT forensics will also assess the status of the company’s data to determine if it has been exfiltrated or wrongly disclosed, including sensitive or personal information regarding its customers.
If the IT forensics team confirms the compromising of sensitive data, breach counsel will analyze a company’s legal obligations to notify its customers, government authorities, and credit monitoring agencies. As such, a public relations team will be tasked with handling communication with media outlets or customers regarding the incident, its impact, and subsequent response.
Eventually, a decision must be made on whether or not to pay the ransom demand. The decision to pay is weighed against factors such as the total cost of restoring the stolen data from backups and projected costs stemming from any form of business interruption as the data is restored.
In this hypothetical scenario, it is determined to be in the best interests of the company to decline to pay the hefty ransom demand and to instead initiate restoration of the data from backups in a manner that allows the company’s mission-critical processes to resume as quickly as possible, thus enabling payment processing to resume after several hours. It was also determined that only a small portion of sensitive customer data was potentially compromised.
Cyber Security Insurance Policy Response:
Now that the ransomware incident has been resolved in an immediate operational sense, its impact must still be addressed in several other areas of the policy.
Network Business Interruption
Network business interruption coverage allows a business to recover lost profits, fixed expenses, and other added costs incurred due to its network being disabled from a cyber security event.
In this case, the coverage reimburses the payment processing company for the revenue it missed out on when it could not facilitate payments during the ransomware attack due to the network being down.
Errors and Omissions
A payment processing company is depended on to facilitate payments for its customers. The ransomware attack disabled its network, rendering the company unable to fulfill its contractual obligations in delivering this service to its users, which in turn meant retailers and vendors were unable to take certain forms of payment from their customers during the attack—likely costing them revenue.
This is where Errors and Omissions (E&O) coverage comes in. E&O covers claims arising from errors in the performance of or failure to perform your services. The coverage addresses allegations of negligence or breach of contract and can include legal defense costs resulting from a lawsuit or any disputes from its customers.
Since a payment processor is trusted with extremely sensitive financial and personal information, privacy liability coverage is essential. When this information is compromised, customers are certainly at risk, but the company is also exposed to liability.
Privacy liability coverage protects the company from liabilities stemming from a cyber incident or privacy law violation and also any regulatory investigations by governments and law enforcement.
If a class action lawsuit (and potential settlement) arises from customers who had their information compromised, privacy liability coverage will defend the payment processor. The same is true with any legal expenses, fines, or penalties resulting from a regulatory investigation by the government or law enforcement.
Cyber Security Insurance Coverage Needs Are Unique to Every Organization
In the hypothetical scenario above, the payment processor was able to not only mitigate the immediate damage caused by the ransomware attack and find the most favorable solution, it was also able to recoup financial losses from network downtime while protecting itself from liabilities resulting from potential litigation and investigations.
Still, this is merely an example scenario of how certain parts of a cyber liability policy may respond to a breach. Each organization has its own requirements and liabilities that should be considered when procuring a robust policy that offers adequate levels of protection on all fronts.
For more insights into cyber coverage, be sure to check out these Woodruff Sawyer resources:
8 Reasons to Buy Cyber Insurance
IN THE NEWS
Related Blog Posts
Nation-State Cyber Attacks and Insurance Response: Revisiting the War Exclusion
Pickup of Stephen Quintana and Elena Chen’s War Exclusion Insight
6 Things Underwriters Look for in Your Ransomware Protection
Learn the six steps you can take to protect yourself from ransomware, ranging from using multi-factor authentication to a comprehensive data backup strategy.