Cyber Insurance Basics for Developers

Insurers offer both first- and third-party insurance for cyber losses:

• First-party coverage insures for losses to the policyholder’s own data or lost income, or for other harm to the policyholder’s business resulting from a data breach or cyber-attack.
• Third-party coverage insures for the liability of the policyholder to third parties, including clients and governmental entities, arising from a data breach or cyber-attack.

First-Party Costs

Some common first-party costs when a data breach or security failure occurs include:

• Forensic investigation of a breach.
• Legal advice to determine notification and regulatory obligations.
• Breach Notification costs of communicating the breach to affected constituents.
• Offering credit monitoring to affected parties.
• Public relations expenses.
• Loss of profits and extra expense during the time that your network and systems are down. This is also known as “business interruption” coverage.

First-Party Coverages

Available first-party coverages include:

• Theft and fraud: Covers destruction or loss of the policyholder’s data as the result of a criminal or fraudulent cyber event, including theft and transfer of funds.
• Forensic investigation: Covers the legal, technical or forensic services necessary to assess whether a cyber-attack has occurred, to assess the impact of the attack and to stop an attack.
• Business interruption: Covers lost income and related costs where a policyholder is unable to conduct business due to a cyber event or data loss.
• Extortion: Provides coverage for the costs associated with the investigation of threats to commit cyber-attacks against the policyholder’s systems and for payments to extortionists who threaten to obtain and disclose sensitive information. Ransomware is an example of this threat.
• Computer data loss and restoration: Covers physical damage to, or loss of use of, computer-related assets, including the costs of retrieving and restoring data, hardware, software or other information destroyed or damaged as the result of a cyber-attack.

Third-Party Costs

Common third-party costs include:

• Legal defense.
• Settlements, damages and judgments related to a breach.
• Liability to banks for re-issuing credit cards, if applicable.
• Cost of responding to regulatory inquiries. [eg. OCR, FDA, FTC ]
• Regulatory fines and penalties. [eg. OCR, State Attorneys General, FDA, FTC ]

Third-Party Coverages

Available Third-Party coverages include:

• Litigation and regulatory: Covers the costs associated with civil lawsuits, judgments, settlements or penalties resulting from a cyber event.
• Regulatory response: Covers the legal, technical or forensic services necessary to assist the policyholder in responding to governmental inquiries relating to a cyber-attack, and provides coverage for fines, penalties, investigations or other regulatory actions.
• Notification costs: Covers the costs to notify customers, employees or other victims affected by a cyber event, including notices required by law.
• Crisis management: Covers crisis management and public relations expenses incurred to educate customers concerning a cyber event and the policyholder’s response, including the cost of advertising for this purpose.
• Credit monitoring: Covers the costs of credit monitoring, fraud monitoring or other related services to customers or employees affected by a cyber event.
• Media liability: Provides coverage for media liability, including coverage for copyright, trademark or service mark infringement resulting from online publication by the insured.
• Privacy liability: Provides coverage for liability to employees or customers for a breach of privacy.

Developers’ cyber insurance requirements can vary widely, depending on factors such as: types and amounts of data processed, vulnerabilities, and the types of security measures in place. Expect cyber insurers to test your security, and above all, get qualified legal advice before choosing cyber insurance policies.