Playing Roulette With Your Cyber Risk Management Strategy

“I don’t need cyber coverage because I can hire an aggressive insurance recovery attorney to squeeze money out of my traditional Commercial General Liability Policy, right?”

There are any number of very smart, aggressive and skilled insurance recovery attorneys who seem to agree with the above statement.  Case in point: a major law firm recently posted a Client Alert from their Insurance Recovery group, arguing that many “traditional” insurance policies, namely Commercial General Liability (CGL) and the Umbrella or Excess Liability policies that sit above them, may cover cyber liability claims, despite insurer assertions to the contrary.

Yes, this may sometimes be true, although decreasingly so.  And relying on this information as a risk management strategy is akin to taking your corporate assets to Las Vegas and putting them all on “19” on the roulette table (or whatever number was on your high school soccer jersey).

The reality is that while the CGL recovery strategy has worked in the past, and there will be instances in which it will work in the future, those instances are ever diminishing.  This is because of three things: economics, economics, and economics.  Put differently, the insurance market has evolved as the severity and frequency of cyber incidents has escalated.  And that evolution has actually been quite positive for insureds.

This debate made more sense ten years ago, when cyber liability and data breach exposures were just entering the public lexicon.  In 2003, California became the first state to require notification to consumers of data breaches.  By 2005, 22 more states had passed similar laws.  And then in 2007, clothing retailer TJ Maxx admitted a data breach involving 45 million customers’ information.

For many companies, the TJ Maxx breach was the first time this exposure even came on their radar screen.  At that time, cyber insurance policies were only offered by a few specialty insurers, and the coverage provided was not very broad.  In these early breaches, companies certainly turned to their CGL policies for recovery, and many were successful.  At the same time, CGL insurers were still wrestling with how to address this new exposure.

Fast forward to 2014, with massive breaches at Target, Home Depot, PF Changs, Adobe, eBay, and Albertsons making headlines on a weekly basis.  CGL insurers have by now made it very clear, through new policy forms and exclusions on existing forms, that they do not intend to cover such claims on the CGL policy.  They argue that the frequency and severity of cyber liability claims are not contemplated in the premiums charged for CGL policies, and that many features of a CGL policy (occurrence form, defense outside the limit, low deductibles) are not sustainable for this exposure.  Almost all CGL insurers now offer standalone, dedicated policy forms that broadly cover cyber liability claims.

And yet the idea persists that the CGL policy should be covering these claims.  One of the biggest challenges with this adversarial line of thinking is that it paints the insurance company as somehow being in the wrong for attempting to direct cyber claims away from CGL policies.  The simple math of insurance is this:  Insurers need to collect enough in premiums and investment income to cover their costs (claims and underwriting expenses).  To prudently cover cyber claims under a CGL policy, they would need to increase premiums and adjust terms to the point where it could be profitable.  And that means that everyone would be saddled with those higher costs and restrictive terms.

Instead, they offer a separate, dedicated insurance product that more directly (and thoroughly) covers the true exposure.  That gives each company the freedom to make a determination about whether or not to elect that coverage, given their specific exposures and appetite for risk.

The aforementioned alert concludes by acknowledging that a CGL policy “may not address all of the costs incurred by an insured as a result of a data breach.”  This is true.  Even if you manage to find recovery under a CGL policy, it would only potentially cover the liability (third party claims) from injured parties.  There would be no coverage for the direct (first party) costs arising from the event, including forensic IT work, the cost of notifying customers about the breach, the cost of proactively offering credit or ID theft monitoring insurance, or the cost of public relations advice related to the event.  All of which are standardly offered in a cyber insurance policy.

If a breach hits tomorrow and you have not yet made a proactive decision about whether to buy insurance dedicated to cyber liability exposures, then yes, it may make sense to hire coverage counsel to see if there is any chance of recovery under your CGL policy.  But that’s not a risk management strategy, and it is likely to be less and less successful as insurers tighten up exclusions.  The time to evaluate cyber insurance coverage is now, before you become the next cyber liability headline.