Cyberinsurance

I was going to write about something else today - about a particular technical, tactical issue in litigating insurance coverage and ERISA, particularly breach of fiduciary duty, cases - but I came across something else that was too intriguing to me to pass up, and I will return later this week to the issue I meant to discuss today. What caught my eye was this article on cyberinsurance, which I liked for a number of reasons: one, it is a good article on the topic; two, it sounds cool, what with the word cyber in it; and three, it mingles my interest - reflected by the existence of this blog - in technology with my professional interest in insurance coverage.

And just what is cyberinsurance? It is a specialty insurance product covering the risks inherent in reliance on computer data and computer generated, stored and manipulated information. As the article points out, most traditional insurance products relied on by businesses do not provide much, if any, coverage for the risks related to a business’ reliance on this type on technology, so a few insurers have created specific policies targeting this risk. The policies cover:

First-party business interruption covers revenue lost during system downtime caused by accidents and security breaches. Losses during catastrophic regional power outages are typically excluded, but that's little different from standard exclusions for floods or other "acts of God."
First-party electronic data damage covers recovery costs associated with compromised data, such as virus infections.
First-party extortion covers ransom demands of hackers who claim to control systems or data and threaten to do serious harm.
Third-party network security liability covers losses associated with the compromise and misuse of data for such purposes as identity theft and credit card fraud.
Third-party (downstream) network liability covers judgments from lawsuits initiated by those harmed by denial-of-service attacks and viruses sent out over your system.
Third-party media liability covers infringement and liability costs associated with Internet publishing, including Web sites, e-mail and other interactive online communication.

One of the more interesting things from an insurance coverage standpoint about the article, and about this product, is that, as the article points out, “[u]nlike traditional insurance policies, cyberinsurance has no standard scoring system or actuarial tables for pricing premiums,” and instead each company that offers the coverage must investigate the potential insured’s exposure and develop a price point for that particular insured that adequately captures the risk.