Cyber Security Insurance – Traps for the Unwary

It has been awhile since I last posted anything about cyber security, but it continues to be a very hot topic in the various insurance related newsletters that I receive.  As I noted in my first two posts of this year, cyber security is a two-edged sword for insurance agencies.  While they need to protect themselves from data breaches and their consequences, that same need of other businesses presents a selling opportunity for agencies.  With that selling opportunity come risks that are not present in more established lines of business due to the lack of standardized language for cyber security insurance policies.

A recent federal court case in Arizona involving the restaurant chain P.F. Chang is a good example of those risks.  P.F. Chang suffered a data breach involving its customers’ credit card information.  Like most businesses, P.F. Chang used a third-party payment service to process its credit card transactions.  Its agreement with that service required it to indemnify the service for any claims that may be made against it by the issuers of the credit cards for which payment services were provided.  Those issuers did make claims against the payment service as a result of P.F. Chang’s data breach in the amount of $1.9 million and when the payment service looked to P.F. Chang to pay those claims, P.F. Chang found out it did not have insurance coverage for them under its cyber insurance policy with Federated Insurance.

Even though Federated had marketed its cyber insurance policy as “a flexible insurance solution designed by cyber risk experts to address the full breadth of risks associated with doing business in today’s technology-dependent world” that “[c]overs direct loss, legal liability, and consequential loss resulting from cyber security breaches”, its coverage only applied to claims made by persons whose information had been taken and it excluded liability for any claims made as a result of P.F. Chang’s contractual assumption of liability. It did not include payment card industry coverage, which would have protected P.F. Chang in this situation.  It’s not hard to imagine the conversation that took place between P.F. Chang and its insurance agent when P.F. Chang lost its court case against Federated. Hopefully, that agent properly documented his or her discussions with P.F. Chang about the types of cyber coverage it wanted.  Even so, that agent will likely never sell another insurance policy to P.F. Chang.

To avoid being put in the situation of P.F. Chang’s insurance agent, it is essential that an agent find out all the possible exposures of their customers to a data breach.  A recent post on Property Casualty 360 discusses the five essential coverages that every cyber insurance policy should have.  Depending on the size and business activities of a particular customer, coverage for public relations expenses may not be necessary in every case, but the other four coverages should be a part of every cyber insurance policy sold.  Forensics and legal expenses are necessary to determine the scope of any breach and what legal responsibilities are created by it.  Those responsibilities will typically include notification of the affected customers and possibly, the provision of credit monitoring services.  Business interruption coverage will help the customer overcome the inevitable loss of income that will occur as the customer focuses on dealing with the consequences of the data breach and with the rise of ransom ware attacks this year, every business should have protection against having to pay a hacker to unlock their data that has been encrypted by malware.

Of course, every business that accepts credit cards as payment for their goods or services will need the payment card industry coverage that P.F. Chang lacked.  That includes insurance agencies, all of whom should be checking their cyber insurance policies to be sure they have such protection.