Organizations today must regard cyber breaches not as a possibility, but as an inevitable fact of life. In this environment, it’s crucial to have a cyber liability insurance policy that adequately covers the potential loss and offers payment or reimbursement for response costs. Understanding what’s covered by the policy well before a breach occurs and building that knowledge into your company’s incident response plan is critical.
What are First-Party Cyber Breach Costs?
First-party costs, in relation to cyber insurance coverage, are fees or expenses that you (the insured) incur to remediate a cyber breach. First-party cyber breach response costs usually include:
- IT Forensic expenses (to identify the cause of the breach)
- Legal fees (to determine if you’re required, by law, to notify impacted parties of the disclosure of private information)
- Costs to notify regulatory agencies, individuals or employees that have been affected or are believed to be affected by the breach. These may include postage, call center expenses, notification by phone or e-mail, etc.
- Credit monitoring services costs for impacted parties
- Fees and expenses to engage a crisis management firm or PR firm to get a positive message out to the public
Reviewing the Language Related to Breach Costs in Your Cyber Policy
When examining the language of your cyber insurance policy, it’s crucial that the conditions under which the policy offers payment or reimbursement for the breach are reviewed.
It’s best to start with the insuring agreement, which will usually state if the insurance company will pay on your behalf or reimburse your organization. Typically, breach response costs are paid by reimbursement, but having the insurer pay on your behalf is ideal.
Next, determine if the policy offers reimbursement only if you “become legally obligated to pay.” If a specific breach law or agency regulation does not require your company to incur a particular expense, the insurance carrier may not have any obligation to cover you for it.
Also make sure you review the definition of Breach Response Costs (or the equivalent in your policy’s wording). You’ll want to determine exactly what the policy is reimbursing you for. The language may sometimes seem contradictory to the insuring agreement, as not all breach response costs will be obligated by law. Costs not required by law might include IT forensics and legal fees to determine if notification is required.
For example, the definition wording may state in your policy that, “Breach Response Costs means the following fees, costs, charges, or expenses, if reasonable and necessary…”. You’ll want to negotiate what constitutes “reasonable and necessary” costs before any expenses are incurred by your organization, so there are no surprises when payment is expected from the insurer.
Sometimes cyber insurance policy forms are as complex as the risk itself. At the ALS Group, we’ve helped dozens of organizations craft custom cyber liability insurance policies.