Trading on New Zealand’s stock exchange was disrupted last week, following four straight days of repeated cyberattacks that resulted in outages affecting debt, equities, and derivatives markets.  The DDoS attack, which is said to have originated offshore, is allegedly part of a global extortion scheme that has also targeted companies like PayPal and Venmo.  With this type of cyberattack becoming only more common and sophisticated, it is vital for policyholders to focus on the host of available insurance coverage options to protect against and maximize their insurance recovery following losses from a cyberattack.

Cyberattacks can lead to both first-party losses, like the costs following equipment damage, the restoration of data, and business-interruption; as well as third-party losses, like the costs stemming from customers’ claims due to data and privacy breaches (and the related defense costs, which can often be millions of dollars).  Luckily, different types of insurance policies can often provide coverage for both first– and third–party losses following a cyberattack.

The first place for a policyholder to look for potential coverage following a cyberattack are the standalone cyber insurance policies.  It is vital, however, for wise policyholders to look at all other policies in their portfolio following a cyberattack.  Very often, coverage for the various losses following a cyberattack can be found in other, more “traditional” forms of coverage, including (among others):

Policies with Both First-Party and Third-Party Coverage:

• Cyber policies usually provide coverage for damage to data (including data loss and recovery) and for business-interruption losses. In addition, cyber policies often cover the expenses related to reputational loss and to the hiring of experts to identify and address potential system weaknesses.

Policies with First-Party Coverage:

• Property “all risk” insurance policies might provide coverage for physical damage to computer and network equipment, as well as for related business-interruption losses.
• Crime policies can cover the expenses associated with a data breach due to social engineering, as well as the loss of funds due to computer and other kinds of fraud.

Policies with Third-Party Coverage:

• CGL policies that have broad advertising or personal injury coverage sections might cover breach of privacy costs arising from “follow-on” litigations, including third-party lawsuits by disgruntled or affected users and clients.
• D&O policies often provide a broad scope of coverage for an officer’s or director’s (and sometimes a company’s) “wrongful acts,” which can also trigger coverage after a perilous cyberattack.
• E&O policies might provide coverage for lawsuits related to data breaches on a third-party client.

As the cyberattack on the New Zealand stock exchange shows, cybercrime likely will only continue to mount in degree and sophistication.  DDoS attacks surged 542% in the first quarter of this year, compared to the final three months of 2019, according to cyber security company Nexusguard.  How insurance coverage will respond to the ever-changing threat posed by cyber risks largely depends on how a policyholder’s insurance program is structured, and the particular provisions and exclusions in each kind of policy.  Thus, it is imperative for policyholders to carefully scrutinize all coverage provisions under all insurance policies, both at the time of purchase and the point of claim, to maximize their chances of recovery.