Relative to insurance overall, cyber insurance is very new. Types of cyber insurance have been around since the 1990s but, like cars or houses, there is no one uniformity, common policy type or standard.
Cyber insurance policies have evolved over the years1 as follows:
- Late 1990s: 3rd party2 cyber insurance policies are created. These policies covered damage to 3rd parties caused by someone other than the insured.
- 2001-2002: Cyber liability policies start adding coverage for incidents arising from the insured and excluded items such as rogue employees. There was still no 1st party coverage (i.e. protecting the insured if they were harmed by an attack such as a hacking incident)… First party cyber liability insurance is soon created which includes business interruption, cyber extortion (ransomware), network asset damage and HIPAA liability language.
- 2003: CA Security Breach Information Act: Like it does with many important consumer protection laws, the State of California leads the way. In 2002, CA requires that, in the event of a breach of personal information3, any business or agency conducting business in California must notify the affected customers/parties if it is reasonable to believe that personal information was accessed by an unauthorized person. Personal information is defined primarily as first and last name with social security number (SSN), driver’s license number, or account credit card or debit card data in connection with an access code or password. Other states soon followed with similar legislation and this standard remains largely unchanged today in terms of what qualifies as personally identifiable information.
- Carriers responding to the CA Security Breach Information Act incorporate new first party coverages which are expanded to include credit monitoring costs and services, such as credit rating repair, customer notification, public relation help and information technology forensics. New 3rd party endorsements include coverages for regulatory defenses, fines and penalties.
- Today: Many carriers offer some form of mono-line cyber liability insurance or package it together with other coverages. Unfortunately for consumers and small businesses, many cyber policies that are packaged together with other coverages may either provide very low limits of coverage, exclude situations you believe are relevant to your business, or not respond in the event of property damage. Such policies may provide little more than false comfort, leaving companies underinsured… It is important to read your cyber liability policy, its terms, coverages and exclusions.
Only in the last few years have cyber insurance policies started to evolve to address the increasing real exposures that your small business, and you as a person, have to potential cyber-criminal activity. Unfortunately, incidents of criminal activity can be started by an evil actor (a human), but can be carried out afterward by robots or software that is programmed to complete a criminal goal.
- 3rd party means someone other than the 1st party who holds the policy. Liability policies cover 3rd party damage. For instance, if you are Target and own a 3rd party cyber liability policy, you are the first party and coverage is provided to your customers who are 3rd parties.
- Cyber policies today may refer to the definition of Personally Identifiable Non-Public Information (PII), or “nonpublic personal information” as defined in the Gramm-Leach Bliley Act of 1999, aka GLBA. NB: The GLBA is the original legislation that repealed the Glass-Steagall Act of 1933 leading to financial institutions to being able to merge and become “too big to fail”.