There are over 60 unique insurance markets - domestically, in the United Kingdom, and in Bermuda - that are providing cyber coverage. A policyholder must carefully review the cyber coverage policies offered by the various insurance carriers as the wording and coverage provided varies from insurance carrier to insurance carrier. Some insurance carriers are offering systems failure coverage and breach response coverage, while other insurance carriers are not. When reviewing the cyber insurance policy, it is important for the company's risk manager and broker to know the company's business inside and out. They must understand the top risks to the company and identify those that are insurable and those that are not. They must understand the contracts entered into by the company and the risks assumed in those contracts. Then, when reviewing the cyber policy language, they must make sure that the policy language covers the risks and potential risks of the company. The risk manager and broker should confirm that there is breach response coverage (IT forensic experts, legal experts, call center services, credit monitoring, identity theft monitoring, public relations, etc.), first party coverage (network business interruption, dependent business interruption, system failure, digital asset coverage, cyber extortion payments, etc.), and liability coverage (failure of network security, failure to protect/wrongful disclosure of information, privacy or security related regulatory investigation, media content infringement, etc.).
A breakdown in the risk analysis related to cyber coverage can be very costly to a company. Recently, in P.F. Chang's China Bistro, Inc. v. Federal Insurance Company, 2016 U.S. Dist. LEXIS 70749 (D. Ariz. 2016), the court held that P.F. Chang's cyber liability policy did not provide coverage for over $1.9 million in fees and assessments that P.F. Chang was required to pay Bank of America Merchant Services ("BOA"). BOA had provided P.F. Chang with credit card processing services. Under the Master Services Agreement ("contract") between P.F. Chang and BOA, P.F. Chang was required to reimburse BOA for fees, fines, penalties or assessments BOA paid to MasterCard. After hackers stole approximately 60,000 of P.F. Chang's customers' credit cards, BOA paid over $1.9 million in assessments to MasterCard and sought reimbursement of those costs from P.F. Chang per the contract. The cyber policy issued by Federal Insurance Company contained an exclusion for any loss or expense that P.F. Chang assumed under a contract. The court held that per the exclusion, there was no coverage for the assessment costs paid per the BOA contract.
This case highlights the importance of a company performing a thorough cyber risk assessment and performing a thorough review of the language in the cyber policy it is considering to purchase to make sure that there are no gaps in coverage.