We live in a litigious society. The past few years have seen increased litigation against IT departments and technology companies. The lawsuits continue to pile on as more data breaches, ransomware attacks, attacks on security and systems and IT errors and omissions occur.
- This year, Scripps Health System in San Diego is facing class-action lawsuits stemming from a ransomware attack in April.
- This year, fuel stations from Florida to Virginia ran dry and prices at the pump rose after Colonial Pipeline voluntarily shut down its operations after a ransomware attack in May.
- And in a landmark case few of us will forget, Target paid $10 million to consumers and $39 million to banks after hackers broke into its systems and stole personal information in 2013. The CIO lost his job.
The increase in lawsuits indicates that organizations that are hacked are no longer limited to simply redressing injuries with reimbursements to people who had their data stolen. In today’s world, companies are also being sued for derivative damages that go well beyond a heightened risk of identity theft or credit card fraud -- such as a downed medical system that causes a patient’s operation to be delayed and that results in death or complications.
The increase of risk (and loss) attributable to technology compromises and malfunctions has many CIOs and insurance campaniles thinking about what kind of liability protections can be obtained to combat losses -- and it’s been a difficult road.
On the technology side, there have been challenges because CIOs must now think beyond the simple business liability risk protection insurance that falls under the auspices of the general liability Insurance that companies have had for years. On the insurance side, understanding the issues of cyber and ransomware attacks have been equally challenging. Because of their limited experience with new technology exposures, insurers aren’t always confident as they attempt to determine the types of insurance and coverages they should be providing for technology incidents, or even whether they should offer technology-specific insurance at all.
Despite these challenges, there are insurance options and products available on the market that CIOs and risk managers can regularly assess and discuss with their insurance providers. In some cases, multiple insurance policies may be required to fully cover IT risks, and in other cases insurance companies can offer bundled insurance packages that combine the coverages of what normally would be multiple coverages, which is usually a more economical way to go.
Regardless of how CIOs and risk managers evaluate and obtain liability coverages, there are several insurance liability categories that these decision makers should review.
General Liability Insurance
General Liability insurance covers bodily injury, property damage, injury from defamatory advertising, infringements on copyrights, and reputational harm. In other words, if your company places an advertisement that is deemed to defame an individual or another company, you are covered. If a customer slips and falls and sustains an injury in your data center, you are covered. If there are court and attorney costs associated with a claim against your company, these are covered, too.
The first liability insurance policy for business originated in 1886, so general liability insurance is nothing new. Insurance companies are comfortable underwriting these policies, and many states require even small businesses to carry some type of general liability insurance.
The question is, how much IT does general liability insurance cover? Will it cover damage from a hurricane to your data center? Yes. Will it cover a fall by an IT consultant in a slippery hallway? Yes. Will it cover a ransomware attack or a security breach? Unlikely.
Cyber and Data Breach Insurance
There are many variations of cyber and data breach insurance, so it’s important to evaluate the types of risk you are most concerned about before you go shopping for cyber insurance.
Here is the range of cyber insurance:
- You can insure yourself against a data breach by protecting your company from liability if customer or sensitive data is breached. The insurance attempts to make those whole who suffered from the breach. It may also provide reimbursement for the mitigation that is necessary as your staff repairs the breach and notifies customers. You can augment basic coverages, so they cover attorney and legal expenses, digital forensics work, etc.
- You can also obtain business interruption coverage that applies to expenses and lost revenue due to a computer virus or denial-of-service attack that impairs your systems -- and you can add cyber deception coverage that occurs when someone in your organization inadvertently transfers funds or goods in lieu of payment to a third party under false pretenses.
- There is cyber insurance for network and security breaches, and cyber insurance that provides for improvements to a computer system after a security breach, when the improvements are recommended to eliminate vulnerabilities that could lead to further breaches.
- There is also cyber extortion insurance that covers your company in the event of a ransomware attack, or that protects any intellectual property (IP) that might have been stolen from your company’s systems.
In short, there are many different permutations of cyber insurance that you should assess against your own company’s risk profile. You can then work together with your insurer to come up with the best package of options.
Errors and Omissions (E&O) Insurance
These days, technology-intensive companies also carry errors and omissions insurance that is a kind of malpractice insurance for IT.
For example, if your technology company is hired to get a company’s e-commerce store up and running by the holiday season and you fail to do so, or if the store isn’t functional, your company can be sued for damages incurred by your client, which can be directly traced back to the errors or negligence of your company. You can also be sued if you release a product (like software) that doesn’t work as claimed and/or causes your clients damage.
Typically, an E&O policy covers legal fees, court costs, court fees, settlement payments, and legal judgments. This is important coverage for technology startups that are bringing new and innovative products to market that also carry some risk.
Summing it Up
The need for cyber insurance and other IT coverages has complicated the insurance picture for both companies and insurers.
This is why it’s critical for CIOs and others in IT leadership to get together with the company’s risk management group, review the liability insurance that the company currently has, perform a “gap analysis” of risks that current insurance doesn't cover -- and then fill those gaps.
There are still companies in the SMB space that do not carry cyber insurance. With cyber insurance policies available for as little as $500/year for very small companies, adding cyber insurance to existing general liability insurance makes sense. For mid- to large-sized organizations, carrying ample cyber insurance is an imperative. The only open question is, which types of cyber risks you want coverage for?
What You Need to Know About Ransomware Insurance
What Lawyers Want Everyone to Know About AI Liability