As insurance companies continue to look for ways to absolve themselves of liability for cyber-related losses, it is imperative that in-house counsel be well informed about all possible avenues of indemnity for their company.
Data breaches have made headlines for years by now. The marquee victims – or culprits, depending on your point of view – have been large retail-facing companies that have had millions of their customers’ personal and financial data records exposed by hackers. Banks and other financial institutions are also at a high risk of major losses from cyberbreaches because they inherently collect and store personal identification and financial information about thousands of people and businesses.
In-house counsel have had to educate themselves about both the available cyberinsurance coverage and the indemnity obligations in the involved contracts. These policies and contracts transfer certain types of risks. A company’s insurance policies can pay for its own losses as well as its liabilities to others. Where robust indemnity agreements are in place, they can transfer the obligations to pay for such losses and liabilities to, or away from, the company itself.
Siphoning cyber coverage into specialty policies
Cyber policies have proliferated over the past 15 years and now come in many varieties, providing different types of coverage. Some are stand-alone cyber policies with typical coverage for breaches, notification costs, data restoration, ransomware and other situations. Other policies are derivations of errors and omissions (E&O) policies that focus on the act or cause of a loss and extend coverage for data loss and liability to others.
For years, other policies, such as general liability, property insurance, and directors and officers (D&O) liability, have provided coverage for certain types of losses that stem from a data breach or other cyber loss. For example, a general liability policy might cover liability for property damage to another party’s physical property, including computer hardware. A property policy might cover the replacement of bank debit cards, as physical property damaged by a breach. D&O policies could be expected to cover the lawsuits that follow many data breach scenarios, when shareholders or regulators look to blame the victimized company…