Decipher what policy/policies cover your institution against cyber risks
You Can’t Afford Not to Evaluate and Manage Cyber Risks
Measuring online risk is a daunting task, with the depths of the internet being seemingly endless and new reports of cyber-related attacks surfacing regularly. Assessing cyber risk – that is, exposure associated with computers, electronics, or communication systems – seeks to protect a broad scope of information, ranging from personal identifying information (birth dates, social security numbers, credit card numbers, fingerprints) to corporate and institutional data (financial records, contracts, student files, marketing plans). With the global average cost of a data breach in 2024 coming in at a whopping $4.88 million,1 evaluating and managing these risks is critical (and not doing so, expensive), and insurance should always be part of that discussion.
Cyberattacks in Higher Education
These attacks can do irreparable damage, most dramatically seen in 2022 when Lincoln College in rural Illinois was forced to close permanently – after 150 years – due to both the pandemic and, notably, the impact of a December 2021 cyberattack that forced the school to shut down for three months, compromising its files and crippling recruiting and enrollment.2
More recently, Texas Tech’s Health Sciences Center fell victim to a ransomware attack that implicated the private data of more than 1.4 million patients, which was then leaked by the bad actors;3 close to 250,000 records were taken from Indiana University and posted to a public stolen data site; and sensitive information including names, addresses, birthdates and social security numbers were stolen from nearly 1,000 US colleges and universities in the widespread MOVEit ransomware attack in May 2023, which affected approximately 40 million people.4
Insuring the Cyber Risk
Evaluating an institution’s risk is often a multi-disciplinary endeavor, which may mean a single policy is insufficient to adequately insure that exposure. An institution should consider not only insurance for losses from anticipated events like a social engineering fraud event or ransomware attacks, but also associated business interruption losses and claims by affected third parties. Strong consideration should also be given to the interplay between related lines of insurance, such as cyber liability, commercial property, and crime coverage, not only to ensure a comprehensive program but also to avoid gaps in coverage.
Commercial General Liability Insurance
For some time, many policyholders assumed their business and commercial property policies – which were commonplace – would respond in the event of a cyber liability event like a ransomware attack. The cyber coverage afforded under traditional lines of insurance is limited, though, and typically not a recommended risk management strategy on its own.
Historically, a business’ first stop for insurance to cover a cyber event was its commercial general liability (“CGL”) insurance. Those CGL policies typically covered losses “because of property damage” that were caused by an occurrence during the CGL policy period. While interpretation and application of this phrase varied from jurisdiction to jurisdiction, coverage for a cyber event generally hinged on whether there was some connection between the losses and “property damage,” as that term is defined in a CGL policy. That relationship, at one point in time, was plausible.
The COVID-19 pandemic – more specifically, the government shutdowns and associated business losses – introduced a new platform for courts’ consideration of what “because of property damage” meant in the scope of CGL coverage. In the wake of a spike in litigation on the issue – albeit, particular to whether losses incurred due to the presence of the COVID-19 virus constituted damages “because of property damage” – the legal authority across the country was warped by a mix of opinions that, while unique to COVID-19 facts, seemed to proffer guidance on an insurance turn of phrase with much further reach than the pandemic.
Now, as the insurance landscape for cyber claims develops, so do the inconsistencies in how courts interpret CGL policies in these contexts. Courts have issued conflicting decisions regarding whether, and how, CGL policies cover cyber losses such as data breaches and ransomware attacks. This body of caselaw turns on varying interpretations of key elements of the fundamental CGL insurance provisions, and it underscores the risks policyholders assume if they rely exclusively on CGL coverage to insure cyber incidents.
In response to the growing prevalence of cybercrime over the last 20 years, CGL insurers – by way of amendments to standard insurance forms as well as manuscript endorsements – have more explicitly and intentionally excluded coverage for electronic data or damages arising out of the loss or corruption of electronic data.
Commercial Property Insurance
Another potential source of coverage for cyber losses is commercial property insurance. Commercial property insurance generally protects commercial property owned by a business. These policies may either be “named peril” policies, covering only damages from specific risks, or “all risks” policies, covering damages from all risks except those excluded by the policy.
Commercial property policies may include some coverage for computers, such as explicit protection for damage to physical computer equipment and components, or computer coverage might be folded into broader coverage for electronics. Notably, these coverages are often subject to lower sublimits of liability, further curbing the effectiveness of this coverage as an exclusive means of insuring cyber risk. There is rarely protection for the software or information stored on computers or the data stored in the cloud. Like the CGL policies, commercial property insurance should not be relied on as the exclusive means of ensuring cyber liability risks.
Other Traditional Insurance Policies
While we have seen other lines of coverage, such as professional liability, crime, or director & officer insurance endorsed to cover cyber liabilities, those coverages are often narrow and subject to a de minimis limit of liability. There is also limited, and often inconsistent, legal authority on whether these policies cover cyber risks and how the language in the policy should be interpreted for such a claim. As a result, these lines of coverage are not likely to be a reliable means of insuring an institution’s cyber liability risk.
Cyber Liability Insurance
Cyber liability insurance coverages vary, as there is no standardized product or scope of coverage for this relatively new line of insurance. There is also scant legal authority across the country interpreting these policies, making disputes about coverage less predictable.
Most stand-alone cyber policies offer both first and third-party coverages:
First-party coverage applies to costs the policyholder incurs in responding to a cyber event. These costs may include incident response costs, data restoration costs, extortion costs (i.e., ransom payments), and sometimes business income loss resulting from the subject cyber event. The most significant and fundamental costs covered are incident response costs, which usually include forensic investigation, counsel/breach coach, notification of affected individuals in the event of a data breach, call centers, identity theft monitoring, and public/media relations to minimize brand and reputational damage.
Cyber incidents that result in first-party losses can also give rise to third-party claims by organizations or individuals who are (or who allege to have been) damaged by those events. As a result, cyber liability policies generally include coverage not only for the policyholder’s own (first-party) costs, but also for defense and indemnity against liability claims by individuals or organizations alleging the cyber incident caused damage to that third party. This third-party coverage often covers network security liability (i.e., claims by individuals whose personal information was leaked in a data breach), privacy liability, and regulatory proceedings.
Conclusion
Cyber liability insurance is typically the insurance that an organization or business doesn’t know they need, until they need it. The best defense against the potentially enormous liability of a cyber incident is to adequately assess your institution’s risk and work with the appropriate professionals to secure coverage accordingly. This assessment should include analyzing multiple lines of coverage in tandem, not only to understand how they work together, but also – and, arguably, more importantly – to prevent unanticipated or unintended gaps in coverage. Technology and cyber liabilities change daily, and an institution’s protection against the resultant exposures needs to evolve in kind.
1 https://www.ibm.com/reports/data-breach
2 https://www.cnn.com/2022/05/09/us/lincoln-college-shutting-down-ransomware-attack/index.html
3 https://www.hipaajournal.com/texas-tech-university-health-sciences-center-ransomware-data-breach/
4 https://www.cybersecuritydive.com/news/progress-software-moveit- meltdown/703659/#:~:text=The%20third%2Dparty%20organizations%20responsible,Hover%20to%20rea d%20college%20names.&text=An%20attack%20aga inst%20the%20MOVEit,linked%20to%20the%20M OVEit%20attacks.
By Rachel S. Pearson, Insurance Coverage Attorney | Saxe Doernberger & Vita, P.C.
Insights Home
#InsightsArticle