Insuring Against Cyber Risks: Coverage, Exclusions, Considerations

The risk of security breaches has become a serious concern for any commercial enterprise that maintains private records in digital form. As news stories reporting the latest theft of credit card data, Social Security numbers and ATM codes have become more prevalent, the issue of cyber security has only become more important to management and investors. Computer systems security has evolved into a significant issue with such broad implications that, in 2011, the Securities and Exchange Commission issued guidance concerning disclosure obligations relating to cyber risks and cyber security incidents. More recently, in 2013, the SEC and Commodity Futures Trading Commission (CFTC) jointly issued Identity Theft Red Flag rules which impose requirements on financial institutions and creditors to address reasonably foreseeable identity theft risks. As a result of the rise of cyber incidents and the increased focus on computer security, more insurance carriers have begun offering insurance to cover cyber risk liability. Not surprisingly, more companies are purchasing these policies, particularly those companies in the financial services, technology and health care industries. In this column, SRZ partner Howard B. Epstein and special counsel Theodore A. Keyes discuss the specific features of cyber risk liability policies based on a review of the policies available in the marketplace.