Buying Cyber Insurance: It May Be Required, But Is It Worth It?

There is no question that cyber attacks have increased in frequency and severity over the last 10 years, and executives frequently cite cyber risk among their top concerns in corporate governance surveys. Despite this, cyber insurance, which has been around in some form for 20 years, has been relatively slow to establish as a standard insurance purchase by US companies. Reasons cited for not buying cyber insurance include budget constraints, a preference to spend money on cyber security instead, and skepticism that cyber insurance would actually pay claims.

That adoption has picked up pace in recent years, however. Among Woodruff Sawyer clients, the number of public companies buying cyber coverage increased from 22% in 2016 to 39% in 2019, and we expect this number to continue to grow. One reason for this growth? Put simply, everyone seems to be contractually demanding that everyone else buy cyber insurance.

Contractual Requirements

It has been increasingly common for companies to ask their vendors to purchase cyber insurance along with more typical lines, such as workers compensation and general liability coverage. This is, of course, relevant when companies are storing or processing consumer data on behalf of another company or provide a service that is critical to the operation of that company's network or operations, but we often find that contracts demand cyber coverage even when it is not very relevant to the services being performed.

Depending on the nature of the business relationship companies may be able to negotiate this out to avoid purchasing insurance if they don't already, but many choose to purchase a modest level of cyber insurance that will satisfy customer contract demands. One side effect of this trend is that peer benchmarking on the total amount of cyber limits purchased by companies is skewed low, as these companies are not using an exposure-based analysis to determine their level of coverage and are instead buying a basic amount (usually $5 million or $10 million) to satisfy contractual demands.

Necessity of Coverage

Improvements in Coverage

The good news is that the coverage you are being asked to buy is becoming increasingly more valuable. Cyber insurance has expanded greatly as a product over the last 20 years. Early versions of cyber insurance primarily covered privacy data breach exposures, and as such the greatest interest was from consumer-facing companies that handled a high volume of Personally Identifiable Information (PII) such as credit card numbers, banking information, login credentials, or health records. The privacy aspect of cyber insurance covers both the direct costs and third party liability of dealing with a breach. Retailers, educational institutions, and financial services companies who had large volumes of consumer data were early adopters of cyber coverage.

The European Union's groundbreaking privacy legislation, GDPR, also led to an expansion within cyber privacy coverage to include other privacy-related allegations such as improper collection, storage, or handling of PII. Since cyber policies already covered regulatory fines under data breach laws, most now extend to fines and penalties in all privacy matters. The insurability of privacy fines under GDPR remains an open question, but most cyber insurers have at least added "most favorable venue" language to optimize the potential for coverage.

The California Consumer Privacy Act (CCPA) is another major exposure facing companies who have customers in California. The law, which went into effect on January 1st and will be enforced starting in July 2020, grants statutory damages for consumers who have been impacted by a data breach. These damages will make it much more attractive for plaintiffs' law firms to bring class action lawsuits against companies. Previously, they have had difficulty convincing courts to award damages because it is difficult for consumers to prove they have suffered financial harm as a result of breach. Cyber insurance will be a key source of protection for companies in defending against these expected lawsuits.

Cyber insurance has also evolved to cover the lost profits and extra expenses companies face when a cyber attack shuts down or impairs their operations. This expanded coverage (referred to as cyber or network business interruption), made the coverage more valuable to buyers in manufacturing and other B2B industries. Additionally, a company can now purchase coverage for the financial impact of an outage at their key vendors and suppliers, an extension known as dependent-business interruption.

The NotPetya attacks in summer 2017 put a spotlight on business interruption as a cyber exposure, with major companies such as Merck, Maersk, FedEx, and Mondelez all experiencing significant financial losses from the outage.

Yes, Cyber Insurance Pays Claims

Another reason for the slow adoption of cyber insurance had been skepticism that the insurance would actually perform. Articles are frequently published suggesting that insurance did not respond to a cyber claim, but the insurance in question is often another policy such as crime, general liability, or property which are not designed to respond to cyber claims and sometimes exclude cyber entirely. For example, the property insurance market has been highlighted in recent disputes with Merck and Mondelez over their NotPetya claims.

The reality is that cyber insurance has been routinely paying claims. Merck disclosed in their 2018 10K that they had recovered $45 million under (cyber) insurance policies related to the NotPetya outage, acknowledging that there are disputes with their property insurers as noted above. Equifax reported in their 2018 10K that they have received $125 million in proceeds from their cyber insurance, the full amount of the limit they had purchased but well below the expected cost of their 2017 data breach. A more recent example is Marriott, which reported in a November 5, 2019 SEC filing that they have recovered $77 million under their cyber insurance through Q3 2019 for their December 2018 data breach.

Contractual requirements might be the impetus for a company to first purchase cyber insurance, but the coverage is actually quite valuable, and the exposures keep growing. So instead of buying the bare minimum of coverage to satisfy a contract, companies should consider a cyber insurance program that will effectively transfer a much broader level of cyber risk.