February 20, 2020

Getting Full Insurance Coverage for Your Actual Cyber Exposures: A Users’ Guide to the Nit and the Grit

Edward M. Dunham, Jr.

By now, most businesses accept ongoing cyber threats as a fact of life. How could they not with the onslaught of daily news reporting about malware, phishing, ransomware, viruses, and various other hacking attacks? Some firms, accepting the reality of the threats, are deciding whether to ignore their cyber risks, fix them, or transfer them by way of insurance. This article considers this last option, specifically how you can obtain full insurance coverage for your actual cyber exposures at a fair premium.

Although not impossible, the process is a good deal more complex than, say, purchasing adequate fire insurance. What follows is a step-by-step primer on how to get the job done.  In a nutshell, you must first thoroughly assess your IT and non-IT risks and then retain a broker knowledgeable in cyber-risk insurance coverage so you can come to the bargaining table with an accurate understanding of the coverage you actually need.

Essential Steps

Step One. It is absolutely critical that you have a thorough, comprehensive assessment of your cyber exposures in hand to enable your critical decision-making. This assessment should cover your IT risks, including systems security, policies, procedures, and training, and your non-IT risks, including social media usage and policies, bring-your-own-device policies, Cloud-computing contracts, Internet of Things exposures, and compliance issues. Without such a thorough and comprehensive assessment, you simply cannot make informed, cyber risk-management decisions to protect your business.

Step Two. Retain a sophisticated broker who is savvy in the various cyber insurance coverages offered. There are a great number of underwriters offering cyber risk coverage, with the various coverages differing in the risks covered, the assessment of a policyholder’s risks, and the premiums charged. Only a truly qualified broker, experienced in the marketplace, can guide a business through the maze to the right coverage.

Step Three. This is the promised nit and grit. Any business needs two major classes of coverage: first-party liability coverage for risks it cannot remediate but are too pressing to ignore, and third-party liability coverage for damages it might cause, directly or indirectly, to third parties. An example of the former would be the intrusion of a virus that causes a disruption in a firm’s business, and of the latter a hacking attack that causes a breach or loss of a client’s data. The coverages set out below are those you should discuss with your broker and insist upon when you have the data to indicate the real risks.

Primary Liability Coverages

First-party liability coverage is for your firm to cover the costs incurred from a break-in to your systems. The essential elements of the coverage are:

  • Theft and fraud coverage for some of the costs of a theft or destruction of your data, or theft of your company’s funds. How much coverage you may be able to obtain may depend on how well-versed you are in the actual costs your business will incur.
  • Forensic investigation coverage for determining the cause of the intrusion.
  • Network and business interruption coverage can be the most important part of your cyber coverage. The carrier may impose limitations to this coverage, but one of them you should not permit is specifying that the intrusion must be caused by an intentional cyber attack. Not only may “intentional” be hard to prove, but for your business the result is the same: you are losing money because of the attack. Reasonable conditions on the coverage may include a time limit on when the coverage begins and the total length of outage the insurance will cover. You can negotiate these limitations if you are fully prepared to discuss the business exposures giving rise to the coverage you are seeking, including contingent business expenses which you probably will not be able to quantify in advance.
  • Extortion is coverage for the cost of the “ransom” you may be required to pay to get your systems back online. Although there is no way to quantify the demand in advance, ransomware tracking shows these demands are on the rise.
  • Data loss and retention is coverage for the cost of restoring any data that may have been lost and possibly the cost of diagnosing the cause of the loss. It may be expensive because it is typically subject to substantial retentions. You should ensure, to the extent possible, that this coverage is not limited in terms of the cause of the loss. In this regard, it will be important for you to be able to demonstrate that you have done the necessary measures to remediate, within your firm’s capability, any potential IT or non-IT exposures revealed by your assessment so that the insurer is comfortable with not including a cause-of-loss limitation.

Third-party liability coverage is to cover claims by third parties whose data within your possession has been hacked into or otherwise compromised. The essential elements follow:

  • Privacy coverage is to address claims by your firm’s customers, clients, and employees for breaches of their confidential information. This coverage should include any failure to protect the data, rather than specifying that the breach be intentional. You should also seek coverage for any failure to report the breach under applicable state reporting requirements, or failure to disclose a breach under applicable privacy laws.
  • Regulatory actions coverage should include defense costs for any governmental or civil investigations or requests for information, beginning with the onset of the investigation, whether or not the investigation is instigated by a formal complaint or “suit.” You also will need coverage for civil fines and penalties.
  • Notification costs include notifying third parties who may have been affected by your data breach. You should be prepared to inform the insurer of the number of people to be notified and the method and cost of notification. Ensure this data is included in the policy along with a provision allowing you to update this data on a regular basis. Given the constantly changing landscape of individual state notification laws, it behooves your counsel to keep track of the state requirements that may apply to your clients.
  • Crisis management is an important element of this coverage to defray the public relations costs of defending or repairing your reputation. These costs may be difficult to quantify in advance, but you would be advised to consider coverage to support a substantial budget. Reputational restoration can be one of the most important aspects of your post-breach efforts.
  • Call-center costs may be one of the most significant of your post­breach expenses. It is important to have coverage for these costs included, along with the number of people eligible to receive call-center services, the specific call-center services to be provided, and the call center’s hours.
  • Credit/identity monitoring coverage is included in most policies but may be limited by the individuals who can receive the services and the list of approved vendors.
  • Transmission of viruses and malicious code protects against liability claims for damages for the transmission of viruses or other malicious code or data from your system to another system. Although important if your system is capable of this kind of transmission, you do not want to pay for unneeded coverage.

Other Important Considerations

Types of policies. Policies are generally divided into two major categories: “claims made” and “occurrence.” A claims made policy is triggered when a claim is made against the insured during the current policy period, regardless of when the act that gave rise to the claim took place. Occurrence policies cover claims that arise out of damage or injury that took place during a policy period, regardless of when claims are made. Most commercial general liability insurance is written on an occurrence form.

By way of example, a claim made by a customer in the current policy year that it suffered damage 10 years ago would be covered by a current claims made policy. On the other hand, a claim made that the damage occurred in a 10-year-old policy period, but not made until five years later, would be covered by an occurrence policy.

Trigger. Cyber policies, whether claims made or occurrence, typically are triggered by an event that results in the loss of data during the policy period. The claims-made polices typically are more restrictive in terms of the events that can trigger coverage, and the timing of resulting claims in relation to the loss may limit or preclude available coverage. Thus, you may find the occurrence policies preferable, their higher premiums notwithstanding.

Defense obligations. In some cyber policies, the defense obligation can be triggered only by a “suit,” which requires a lawsuit or written demand against the insured. This definition may preclude defense of a claim that has yet to ripen into a lawsuit or written demand, where much of the defense costs on a particular matter may be spent. You should argue for less restrictive defense language so that there are no limitations as to coverage for governmental actions including investigations.

Choice of defense counsel. In some cyber policies, defense costs are covered only to the extent that the insured chooses from the insurer’s list of “panel” law firms. If the insured chooses a different firm, its defense costs probably will not be covered.

Given the substantial costs likely to be associated with a significant data breach—costs that could exceed the limits of the primary and applicable excess policies—you should have substantive input in the choice of counsel. Accordingly, you should argue for a policy with a balanced choice of counsel language, e.g., the insured and the insurer should mutually agree on defense counsel, and if they cannot agree, the insured will choose counsel for which the insurer shall pay up to a set hourly rate.

Retroactive coverage. Cyber policies often contain a “retroactive date” in which losses arising from events prior to the retroactive date will not be covered. Insurers often would like to fix the retroactive date at the initial date of coverage. Given that exposures unknown to you may have occurred some time ago, you should negotiate a retroactive date as far back as you can reasonably determine your exposures may have arisen.

Vendor liability. Acts and omissions of third parties may not be covered expressly, or may even may be excluded, under some cyber policies. By way of example, if a company uses the services of a third-party vendor to maintain its confidential customer or employee information in the Cloud, and the vendor experiences a data breach, your firm could be sued by its customers or employees. Whether you have coverage will depend on the policy language. Some cyber policies provide coverage for breaches of data maintained by third parties so long as there is a written agreement between the insured and the vendor to provide such services.

If you rely on a third party to maintain any of your confidential information, you should consider seeking a policy that expressly covers breaches of data maintained by the third party.

In the alternative, your contract with your cloud provider should include indemnification language backed up by a provision that the provider will maintain verifiable cyber-risk insurance. Self-insured retention language applicable to your coverage should be clear that any payments made by the third party indemnifying the company for loss sustained by the breach count toward satisfaction of the retention.

Loss of unencrypted data. Coverage for data lost from unencrypted devices is often excluded in cyber policies. If you must live with this limitation, ensure you have an enforceable policy that all personal information or sensitive firm information, in any format, is encrypted on individual devices. The better firm policy would prohibit personal information and sensitive firm information from personal devices, period.

Identity of covered entity. Many cyber policies define covered persons, for liability purposes, to include only natural persons. Your policy should accurately define the entity or entities who may be affected. This would also be the place to include any other entities who should be listed as additional insureds.

Policy territory outside the United States. Even if your firm does not operate outside the United States, your employees may lose their laptops, PDAs, and other electronic devices containing confidential information, or have them stolen, while traveling abroad. Many cyber policies attempt to restrict the applicable coverage territory to the United States and its territories. You should ensure that your cyber policy provides coverage for losses or thefts of confidential information that occur outside the United States.

Breaches unrelated to electronic records. Some cyber liability policies restrict coverage to loss or theft of electronic data. Given that many breaches occur as a result of loss or theft of paper or other nonelectronic records, your policy should cover both electronic and other forms of records.

Location of security failure. Some cyber insurers attempt to limit coverage to physical theft of data from company premises. This limitation would deny coverage from claims arising from laptop, PDA, or thumb drive thefts. Other policies limit coverage for data breaches resulting from password theft to situations where the theft occurs by nonelectronic means. You would be well advised not to permit these kinds of limitations, which could be costly in the long run.

Exclusions for generalized acts or omissions. Some cyber insurers will attempt to exclude coverage for losses arising from: (1) shortcomings in security of which the insured was aware prior to the inception of coverage; (2) the insured’s failure to take reasonable steps to design, maintain, and upgrade its security; and (3) certain failures of security software. If your firm performs a thorough cyber-risk assessment and acts on the remediation recommendations in the assessment, you should be able to demonstrate that, in your case, these kinds of exclusions should not be included.

Exclusions for acts of terrorism or war. Many cyber policies include this common exclusion, which would seem to apply to an attack by a foreign nation. If you cannot get the insurer to leave this exclusion out, then consider purchasing alternative coverage that would address your concerns.

Conclusion

You absolutely can achieve your goal of obtaining cyber-risk coverage for your full range of cyber exposures, but only if you have a thorough assessment of your IT and non-IT risks in hand, retain a broker knowledgeable in cyber-risk insurance coverage, and come to the bargaining table fully prepared with the essential facts as outlined above.

Please feel free to contact the author:
Edward (“Ned”) M. Dunham, Jr.
Spector Gadon Rosen Vinci P.C.
1635 Market Street, 7th floor
Philadelphia, PA  19103
edunham@sgrvlaw.com
(215) 241-8802

Edward M. Dunham, Jr.

Attorney, Spector Gadon Rosen Vinci P.C.

Edward M. (“Ned”) Dunham, Jr., Esq., is chair of the Cyber Security Group at the law firm of Spector Gadon Rosen Vinci P.C. The firm has offices in Philadelphia, New Jersey, Florida, New York, and Atlanta.

Marc-Alain Galeazzi

Partner, Morrison & Foerster’

Marc-Alain Galeazzi is a partner in the Financial Services Practice Group of Morrison & Foerster’s New York office. Marc-Alain’s practice focuses on advising and counseling global banks, financial holding companies, bank holding companies, and other financial institutions on a variety of bank regulatory, Bank Secrecy Act/anti–money laundering (BSA/AML), and transactional matters. Marc-Alain has significant experience in advising financial institutions on complex regulatory matters.

Entity:
Topic: