Cameron Shilling
Businesses face serious risk of liability arising from cybersecurity and privacy breach and use of artificial intelligence. Just like we would not (or should not) drive a car without auto insurance, we should not operate a business in the digital age without coverage for this exposure. That type of insurance is not typically included in general liability or errors & omission policies. Rather, we need to purchase the right policies to ensure our businesses have appropriate and sufficient coverage for potential cyber, privacy and AI liability.
Cybersecurity. Businesses face two primary cybersecurity threats, and need two types of insurance to cover them. The first risk involves compromise of a computer network or device leading to disruption of the system and encryption or theft of information. The damages that typically result from such a breach include costs for forensic investigation, legal fees for breach management, ransom payment, data review, notification of affected individuals, credit and identity protection services for them, notification of regulators, legal fees for regulatory audit, and payment of regulatory fines, as well as lost business revenue. The type of insurance necessary to cover such damages is typically called cyber liability insurance.
The other primary threat involves the compromise of an email or financial system leading to a monetary loss through funds transfer fraud. While cyber liability insurance is needed to cover the costs to investigate this breach, that insurance typically will not reimburse for the financial loss. Rather, the insurance needed to cover the loss is commonly called cyber crime, computer crime, fund transfer fraud, or social engineering insurance.
Businesses need both types of cyber insurance to appropriately cover exposure to both of these threats. However, not all insurance brokers are as familiar with these policies as you might expect. As a result, businesses need to devote time and attention to ensure that the limits and sub-limits of each of those coverages is sufficient for the amount and sensitivity of the information that they handle and the financial transactions they conduct.
Privacy. Privacy laws are different than cybersecurity laws. Cybersecurity laws require safeguards to be implemented to protect against the loss or theft of information, and notification in the event of breach. Privacy laws govern the collection and use of information. Those laws require businesses to notify and obtain consent from individuals before collecting and using their information, limit certain types of collection and use of information, and create rights individuals can assert with respect to information about them.
Because privacy and cybersecurity laws differ, the cyber insurance discussed above (which is usually meant to cover only cybersecurity breach) will not necessarily cover a violation of privacy laws, and sometimes such policies exclude it. Moreover, privacy breach coverage is something that insurance brokers are even more likely to unfamiliar with. Thus, businesses need to work closely with their brokers to ensure that they cover this exposure.
Artificial Intelligence. Businesses are jumping at opportunities to implement AI. While this technology presents powerful potential, it also poses proportionate risks. Just like any other technology, even when deployed properly, AI can make mistakes that significantly damage the business using it and the customers the AI is used for.
Most existing insurance policies were not designed to address AI. Thus, while the language of some policies can be construed to cover damages caused by AI errors, other policies cannot and some expressly exclude such coverage. As insurance underwriters catch up on AI, it seems likely that more policies will exclude coverage for damages caused by AI errors, requiring the purchase of an AI endorsement or separate policy to secure such coverage.
As businesses approach insurance renewal time, they should work closely with their brokers to identify their existing and upcoming AI risk, and secure appropriate and sufficient coverage for it. That may be in the form of a modified cyber insurance or errors & omission policy, or an endorsement to one of those policies. Additionally, developers of AI, firms that deploy AI for others (including IT managed services providers), and businesses heavily engaged in AI use may need to explore a separate policy to cover their AI exposure.
Do not make the mistake of assuming that your liability for cybersecurity breaches, privacy law violations, or AI errors is covered by your existing insurance, including a cyber insurance, errors & omissions policy, business owner’s policy (often called a BOP), or other insurance. Operating in a digital world means that we need to be sure that our businesses have appropriate and sufficient insurance to cover these digital risks.
Cameron Shilling founded and chairs McLane Middleton’s Cybersecurity and Privacy Group. The group of six professionals assist businesses and private clients to improve their security, privacy and AI compliance, and address any incidents, breaches, or litigation that occurs.Â
