The Most Cost-Effective Strategy for Buying Cyber Insurance: Raise Response-Cost Limits to the Full Extent of Aggregate Policy Limits

Posted by David WhiteBy now, all companies – large, small, and in between – know they are vulnerable to computer hacks, and the costs can be huge.[1] Looking at the current trade talk, one sees a host of articles telling companies why they should purchase cyber insurance.[2] Many discuss what limits to buy, and a good many describe the varieties of cyber insurance on the market.[3] Not many, however, advise policyholders on the best strategy to maximize the value of the policy in return for the premium dollar they pay.Cyber insurance is not cheap, and businesses must make hard choices about the type and amount of insurance they buy. It is impossible to insure against all risks and worst cases. Consider the military maxim, attributed to the Prussian king Frederick the Great, that to defend everything is to defend nothing. Limited resources, be they soldiers or dollars, must be carefully marshaled and applied where they will do the most good.  In buying cyber insurance, our general advice – though it depends on each client’s circumstances – is to aim to make 100% of the aggregate limits of a cyber policy available to cover those initial costs necessary to respond to and manage a hacking intrusion.The reason is simple: in almost all cases, if a business is hacked, the one loss it can be certain to face from day one is substantial response costs for such things as forensic experts to find and fix the intrusion, crisis management, legal services, notification expenses (where prudent or required by state and federal law), and perhaps regulatory fines. Other losses and liabilities resulting from the theft or destruction of data either may not materialize, or the insurance to cover them is not reasonably available or is prohibitively expensive. So, weighing a doubt against a certainty, a policyholder is often better off when the entire aggregate limit is available to cover response costs.Consider the matter in light of the likely risks the company will suffer from a cyber attack. Usually, there are three: (1) response costs (described above); (2) liability to third parties who may be damaged from the hack; and (3) lost income if the attack forces the insured’s business to slow or shut down.  Of course, there may be other risks, but these three are the most prevalent. Common sense might dictate that liability from lawsuits and the insured’s lost income are more serious risks than response costs. They may end up as the most expensive, but only if they materialize.  In the past five years or so, plaintiffs in lawsuits against hacked companies have not made much headway in the courts because quantifiable damages have not been easy to prove. Thus, a defendant’s greatest fear after the Target data breach, a huge class-action from consumers, has not substantially materialized. As a rule, courts have been willing to approve monitoring costs, but not much more.  Of course, that could change in the future.Regarding first-party lost-profits, insureds face the opposite problem. The risk that a computer shutdown will cripple a business is patent, but the insurance industry has yet to offer robust business-interruption coverage for most insureds, particularly small and mid-size companies. Unless the hack results in bodily injury or physical damage to property, cyber business-interruption coverage is usually not readily available, or is not available in sufficient amounts, or is prohibitively expensive.Most cyber policies on the market today offer a menu of coverages, each with its own sublimit, but all subject to a single aggregate limit, which is the most the insurer will pay under the policy regardless of the number of different claims or losses under the various coverages. So, for example, the policy may have a $5 million aggregate, which is more or less the average we see for small to mid-size businesses.[4]  Let’s assume the policy offers to cover response costs subject to a sublimit of $2 million; several different liability risks (such as network security, multimedia or intellectual property, regulatory, privacy, etc.), each subject to a sublimit of $2 million; and even business-interruption loss subject to a time-delay deductible and a sublimit of $5 million.  In no event will the insurer pay more than the $5 million aggregate, even if all of the coverages are triggered.All things considered, this is pretty good coverage for most companies.  But the policyholder may benefit from requesting a revised quote from the insurer for a response-cost sublimit equal to the aggregate limit. Optimally for the insured, the policy would have no sublimits, and the insured would have the option to apply the aggregate limits to whichever loss or liability loomed largest.  But Frederick the Great would tell us that if we must choose, we should consider making the full policy aggregate available for response costs because those are the losses the insured will most certainly face, if any; they will be the costs incurred from day one of the discovery of the hack; and they could well exhaust the aggregate limits of the average cyber policy. [1] V. Lynch, Cost of 2013 Target Data Breach Nears $300 Million, hashedout, https://www.thesslstore.com/blog/2013-target-data-breach-settled/, last viewed June 5, 2018; Heller, Equifax Hack Could Cost ‘Well Over $600 Million’, CFO, http://ww2.cfo.com/data-security/2018/03/equifax-hack-cost-well-600m/, last viewed June 5, 2018.[2] Heinan Landa, Does Your Business Need Cyber Liability Insurance?, The Business Journals,  https://www.bizjournals.com/bizjournals/how-to/growth-strategies/2017/05/does-your-business-need-cyber-liability-insurance.html, last viewed June 5, 2018.[3] Christiaan Durdaller, Cyber Insurance Trends with Small Businesses, Insurance Journal, MyNewMarkets.com, https://www.mynewmarkets.com/articles/183128/cyber-insurance-trends-small-businesses#, last viewed June 5, 2018.[4] We are not recommending this or any other policy limit as adequate or reasonable for a particular company or industry.  That is simply more or less what we observe.