Home » OPINION » Columns » LAW ELEVATED — Why you need cyber insurance and what you should know

LAW ELEVATED — Why you need cyber insurance and what you should know


3,813 – that’s the number of reported data breaches tracked through June 30, 2019, putting 2019 on track “to be the worst year on record for data breach activity,” according to the 2019 MidYear QuickView Data Breach Report, conducted by Risk Based Security.

This is an increase of 54 percent over 2018 figures during the same time period. The average cost of a data breach last year hit $8.19 million. In this high-tech era, all businesses are at risk of a data breach.

So, how can you protect your business from these breaches? One way is through cyber insurance.

Cyber insurance covers data security claims involving loss arising from a compromise of the insured’s computer systems. This most often is the result of intrusions like hacking into the insured’s systems, introduction of malware (programs designed to obtain unauthorized access to data or to damage data or computer systems) and ransomware.

Even though most commercial general liability (CGL) policies cover bodily injury or property damage caused by an accident, it likely does not cover a data breach. Bodily injury is typically defined as physical injury, sickness, or disease to a person – data breaches do not typically result in such injuries. Property damage is typically defined as physical injury or loss of tangible property – electronic data is not tangible property. With no bodily injury or property damage, the chance of a data breach claim triggering insurance coverage under your CGL is unlikely.

How much cyber coverage do you need? While there is no magic calculator to determine the coverage limits you need, you can assess an inventory of your risk by considering what data you store electronically and how you protect it. In other words, what do you stand to lose in the event of a data breach?

First, you need to know what data you must protect. Do you have personally identifying information, or PII (i.e., names and Social Security numbers, driver’s license numbers and/or bank account information)? Don’t forget about employee bank account information for direct deposits. Do you have protected health information, or PHI, including PHI relating to your employees’ participation in your health insurance program? Do you have credit/debit card information? What about confidential business information such as client information, intellectual property, or mergers and acquisition information?

Second, be prepared to discuss with your insurance professional how you protect such data. What is your information security policy and data breach response plan? Is your protected data stored in the cloud and, if so, what is the cloud provider’s information security policy? Do your vendors have access to such data and, if so, what is your vendor’s information security policy?

Third, consider what coverage you could need. Think about the following losses:

  • Notification.
  • Forensic investigation.
  • Legal fees.
  • Lost or corrupted data/ransomware.
  • Loss mitigation services such as credit monitoring and identity theft protection services.
  • Public relations/crisis management.
  • Business interruption/denial-of-service.
  • Fraudulent funds transfer.
  • Regulatory fines/penalties.
  • Third-party contractual losses, such as PCI fines.
  • Statutory penalties.
  • Litigation costs and settlement.

Finally, pay close attention to exclusions and limitations. Watch for narrow definitions of PII that may exclude coverage. Is there an exclusion if stolen or lost laptops are not encrypted or unencrypted data is breached in transit? If you use cloud services, look for coverage of data stored outside of your network.

When shopping and negotiating cyber insurance coverage, the wise saying “you get what you pay for” is true. You may need experienced counsel to help you carefully evaluate and negotiate adequate and appropriate coverage for your particular risks, especially when purchasing cyber insurance for the first time.

» MELODY McANALLY is a member of Butler Snow’s Commercial Litigation group and focuses her practice on data privacy and security. She is a co-team leader of the firm’s Data Security and Privacy Team, and she advises clients on data security protection, data breach response and cyber-risk management. She is licensed to practice in Mississippi and Tennessee.


… we’d like to ask for your support. More people are reading the Mississippi Business Journal than ever before, but advertising revenues for all conventional media are falling fast. Unlike many, we do not use a pay wall, because we want to continue providing Mississippi’s most comprehensive business news each and every day. But that takes time, money and hard work. We do it because it is important to us … and equally important to you, if you value the flow of trustworthy news and information which have always kept America strong and free for more than 200 years.

If those who read our content will help fund it, we can continue to bring you the very best in news and information. Please consider joining us as a valued member, or if you prefer, make a one-time contribution.

Click for more info

About For the MBJ