Data breaches and cybercrimes have become all too common. Companies large and small now find themselves the target of cyberattacks in the form of ransomware, phishing emails and social engineering attacks. The resulting data breaches can result in business interruption and downtime, loss of confidential information, and the potential for significant costs and damages.
Cyber liability insurance policies provide policyholders with several coverages to protect businesses from first-party losses and third-party claims arising from data breaches and other cybersecurity issues.
Generally, cyber insurance policies will protect your company from cyber risks with several distinct coverages, which may include the following:
Cyber insurance policies may also include additional optional coverages, each with its own specific sublimits:
While most cyber insurance policies will contain some combination of the above coverages, there will be differences between policies (particularly when purchasing a stand-alone cyber insurance policy or adding cyber coverages to a package policy). As part of your company’s overall risk management strategy, you should review the cyber coverages that you have in place and the limits applicable to each type of coverage in relation to your company’s operations and risk profile.
In reviewing the coverage afforded under a cyber insurance policy, policyholders should be mindful of the different coverages provided and the different limits that may be applicable to each type of coverage. One ongoing case in the Northern District of Illinois1 highlights the important distinctions between different cyber coverages — and the need to carefully review cyber coverages with your counsel and insurance professionals.
In this case, the Illinois Department of Insurance is seeking coverage for losses caused by a fraudulent email sent to an employee in the Department’s Office of the Special Deputy Receiver (“OSD”). The fraudulent emailer, posing as OSD’s chief financial officer, convinced an employee to transfer nearly $7 million to overseas accounts.
OSD filed suit against two of its insurance carriers seeking coverage under the computer fraud provisions of OSD’s cyber insurance policies.
The insurance companies have moved to dismiss OSD’s claims, noting that the policies contain separate insuring agreements for “computer fraud” and “social engineering.” “Social Engineering” coverage responds to fraudulent inducement by means of misrepresentations by a third party, whether by email or other electronic means. This coverage for social engineering attacks is distinct from coverage for computer fraud, which responds to losses due to computer crimes — the intentional, fraudulent or unauthorized input, destruction or modification of electronic data or computer instructions by a third party (i.e., computer hacking).
The distinction between which of the policies’ coverages might apply is not an academic exercise: in OSD’s case, its two policies afforded only $500,000 in combined coverage for social engineering losses, whereas limits for computer fraud coverage total over $5 million between the two policies. This case highlights the important distinctions between cyber coverages and the need for policyholders to understand and consider the limits of insurance that they procure to protect against each type of risk.
Ryan A. Lema is a partner with Phillips Lytle LLP and member of the firm’s Insurance Coverage Practice Team. His experience with insurance coverage matters includes litigating complex coverage disputes for insureds, litigating insurance procurement and indemnification disputes, working with primary and excess insurance carriers to defend the interests of insureds, and monitoring defense claims where the claim exceeds insurance coverage. He can be reached at (716) 504-5790 or rlema@phillipslytle.com.
Receive firm communications, legal news and industry alerts delivered to your inbox.
Subscribe Now
