Cyber Insurance: An Overview of an Evolving Coverage

California Business Law Practitioner
January.04.2016

Cyber insurance has reached a tipping point. The rising costs faced by data breach victims, which can exceed $100 million for the largest breaches, have spurred an increasing number of companies across industries to turn to cyber insurance in an effort to transfer at least some of those costs to an insurer. But cyber insurance is still relatively new, at least as a mass-market insurance product, and it is evolving quickly, although not as quickly as the threat itself. The policies are complex and not standardized, and courts have yet to provide any guidance about what will be covered and what will not. This state of affairs leaves many companies that have or are considering buying cyber insurance uncertain—not only whether they will be a victim of a data breach but also whether insurance will provide them with the coverage they need if they do become a victim.

Data breaches and cyberattacks occur across all sectors. In the past year there have been highly publicized mega-breaches of technology companies, entertainment companies, retailers, financial services companies, health insurers, manufacturers, and the federal government’s Office of Personnel Management. Even the most sophisticated systems are vulnerable to a data breach. And companies with any potential exposure—which includes any company that maintains employee information—are increasingly looking to cyber insurance as one way to manage the cost of a data breach.

Our article “Cyber Insurance: An Overview of an Evolving Coverage” provides an overview of cyber insurance. The first section (What Is Cyber Insurance?) describes the risks faced by companies and the coverage offered by cyber insurance. The second section (The Development of Cyber Insurance) describes the development of cyber insurance as a specialized coverage, the impact on cyber insurance development of breach notification laws, and the limits of coverage of existing insurance. The third section (Where Is Cyber Insurance Heading?) discusses the key coverage and exclusion battlegrounds in these policies, the emergence of cyber insurance litigation, and the challenges presented by the Internet of Things. We hope that companies will benefit from a better understanding of the scope and value of cyber insurance in making decisions about its value as one among different means of proactively enhancing their IT Security posture.

Author

Alison Roffi Deputy General Counsel, Finance, Complex Litigation & Dispute Resolution

New York

See my bio

D:+1 212 506 5366
E: [email protected]

Practice:

Finance Sector
Finance
Complex Litigation & Dispute Resolution

vCard

See full bio

Alison Roffi Deputy General Counsel

New York

Alison is responsible for providing counsel on the Firm's global legal affairs, including advising on matters related to corporate governance, claims, contracts, insurance, ethics, and risk management. Alison is also a member of Orrick’s Risk Management Committee, focusing her efforts on risk awareness and prevention through risk management training, internal Firm publications, and risk management audits.

Prior to assuming the role of Deputy General Counsel, Alison was a litigator in the Firm's Complex Litigation and Dispute Resolution group. Alison represented audit firms and accountants in regulatory proceedings as well as civil disputes. She has experience managing and conducting large scale internal investigations, liaising with regulators, and managing cross-border risk and liability. In addition to professional liability cases, Alison also defended financial institutions in lawsuits alleging claims related to RMBS transactions following the global financial crisis. Her practice also focused on representing the interests of policyholders in their navigation of issues with their insurers regarding coverage, claims, and recovery.