Ask an Expert: What does a Cyber Liability Insurance policy cover and what does it exclude?

Standalone cyber liability insurance usually has two key coverage components:

• first-party loss (costs incurred to respond to and recover from a cyber incident); and
• third-party loss (liabilities arising from the cyber incident).

Cover for first-party loss can be triggered on an occurrence or discovery basis. A 'discovery' trigger for cover can be helpful particularly in circumstances where there is a time lag between the happening and discovery of a cyber incident.

While there is no 'standard' cyber liability policy, first-party loss cover typically includes:

1. Breach response costs: reasonable and necessary costs and expenses incurred in responding to a security breach or privacy breach including engaging an incident response management service provider (this can be a preferred provider on the insurer's panel with reduced rates), a digital forensic investigator, legal expenses, notification costs and crisis management or public relations expenses.
2. Business interruption loss: losses suffered as a result of a total or partial interruption to business operations, and is usually limited to a period of indemnity. This is usually calculated by reference to a loss in net profit, and may include fixed operating expenses.
3. Data recovery expenses: costs to replace, recreate or restore data that was destroyed, deleted, stolen or damaged as a result of the incident.
4. Cyber extortion loss: reimbursement for reasonable and necessary costs incurred to respond to a cyber extortion event including the costs for negotiating a ransom and payment of a ransom.

Cover for third-party loss is usually triggered on a claims-made and notified basis. Cover for third-party loss typically includes:

1. Privacy and security liability: legal liability to pay damages arising from a privacy breach or security breach.
2. Privacy regulatory liability: legal liability to pay regulatory loss as a result of a regulatory investigation or action. This may include compensation awarded and civil fines and penalties, to the extent they are insurable by law.
3. Media liability: legal liability to pay damages arising from an insured's wrongful acts associated with the creation and publication of media including copyright infringement, libel, slander or other form of defamation.
4. Defence costs: reasonable fees, costs and expenses incurred in defending the above.

Extensions for coverage may be available to extend cover to social engineering fraud or hardware replacement costs although a sub-limit is typically applicable. Key exclusions include:

1. Bodily injury,
2. Property damage,
3. Infrastructure failure such as a power failure.
4. War.

------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

Attributable to Melissa Tan, Partner, Lander & Rogers

Have a question? Ask an Expert here