January 01, 2019

Removing the Mystery from Cyber Insurance

Insuring against digital attacks requires a new form of insurance that most firms now need to protect their business.

Judy Selby

Although sales of insurance for privacy and cyber risks are steadily on the rise in the U.S., so-called cyber insurance remains mysterious and confusing to many people. There are good reasons for this. Notably, cyber insurance is still a relatively new form of coverage without standard cyber insurance policy terms. Each of the 60 or so carriers that issue cyber coverage has its own proprietary cyber policy. Complicating matters further, policies are frequently updated in light of industry trends and the emergence of new cyber risks. This means that insurers must frequently tailor their policies to fit the needs and requests of individual insureds.

What Is Cyber Insurance?

Generally speaking, a cyber policy’s first-party coverage applies to costs incurred by the insured when responding to a covered cyber event. Third-party coverage responds to claims and demands against the insured arising from a covered incident.

Cyber insurance can provide much needed tactical and financial support to firms confronted with a cyber incident. This is particularly valuable for small and midsized firms that many not be well equipped to survive a cyber mishap.

First-party coverage. First-party coverage can be triggered by a variety of events, including the theft or disclosure of protected information, malicious destruction of data, accidental damage to data, IT system failure, cyber extortion, viruses and malware. First-party coverage is generally available for legal and forensic services to determine whether a breach occurred and to assist with the aftermath—for example, regulatory compliance, costs to notify affected employees and/or third parties, network and business interruption costs, damage to digital data, repair of the insured’s reputation and payment of ransom costs.

Third-party coverage. Third-party coverage can be implicated in a variety of ways, including by claims against the insured for breach of privacy, misuse of personal data, defamation/slander or the transmission of malicious content. Coverage is available for legal defense costs, settlements or damages the insured must pay after a breach and electronic media liability, including infringement of copyright, domain name and trade names on an internet site, regulatory fines and penalties.

New cyber coverages. Importantly, just as cyber risks have continuously evolved, so has cyber insurance coverage. Recent policy iterations offer protection against a wide range of today’s most vexing cyber threats, including cyber extortion, social engineering, senior executive losses, corporate identity theft and contingent business interruption.

Obtaining Cyber Coverage

Although there is no standard cyber policy application, insurers usually ask for similar types of information from a prospective insured, including financial and business information (such as assets and revenues), the number of employees and planned merger and acquisition activity. In addition, cyber applications typically inquire as to the types and volumes of data handled or maintained by the law firm, employment of cybersecurity and privacy personnel, existing network security programs and practices, a history of security and privacy incidents, awareness of facts or circumstance that could give rise to claim and more.

Care should be taken to accurately complete the application, which will become part of the policy if one is issued. You will likely find it necessary to seek input from a variety of internal and external stakeholders, such as IT vendors and consultants, in order to provide accurate and complete answers. Inaccurate information provided in the application may jeopardize coverage if a claim is later tendered under the policy.

Choosing the Right Cyber Insurance Policy

As noted, there currently are no standardized policy forms for cyber insurance. Policies often contain tailored provisions agreed to by the insurer and the insured during the policy negotiations. Policy terms like the grants of coverage, exclusions and conditions vary among the carriers that issue cyber policies. Numerous coverage options are offered.

The lack of standard terms means that law firms need to ensure that the cyber policies they purchase are appropriate for their specific cyber risk profile. For example, if a firm entrusts data to third parties, it will want coverage for that third-party risk. If it maintains an active social media presence, it will want media liability coverage. And as more regulations are enacted around cybersecurity and data-handling practices by U.S. and foreign regulators, obtaining comprehensive coverage for regulatory fines is increasing in importance for many firms.

Avoiding Pitfalls That Can Jeopardize Coverage

A policyholder’s work is not finished once it has purchased a cyber policy. The insured needs to be cognizant of the representations it made to the insurance company in connection with procurement of the policy and understand the affirmative obligations imposed by the terms and conditions of the policy. Failure to do these things may put coverage at risk in the event of a claim. Some of the key issues to keep in mind are highlighted below.

Representations made to the insurer. Extreme care should be taken to accurately complete the application. Inaccurate answers may jeopardize coverage if a claim is later submitted. For example, XYZ Law Firm states in its application response that it always encrypts protected data, and an insurer issues a policy relying on XYZ’s representations. If XYZ were to be hacked during the policy period, resulting in the theft of unencrypted protected data, coverage may well be at risk. Similarly, if Firm ABC represents that a qualified attorney approves all website content in advance of publication and disparaging claims against a competitor are later posted on ABC’s website by an unsupervised employee, coverage for the competitor’s claim may be affected.

The application also may require the prospective insured to provide updated information before a policy is issued if any responses in the submitted application are no longer accurate. Failure to do so may provide a basis for the insurer to later amend the issued policy, which may affect the coverage afforded to a claim.

Notice of claim conditions. Cyber policies routinely contain explicit provisions concerning how and when an insured must provide the notice of a claim. Depending on the exact policy wording, factual circumstances and applicable law, an insured’s noncompliance with a policy’s notice condition may provide grounds for its insurer to deny the claim.

Cyber insurance notice conditions are anything but uniform. For example, one cyber policy requires notice after an “Executive Officer” becomes aware of a claim, while another policy is much broader and requires notice when any of the following people learn of a claim:

President; members of the board of directors; executive officers, including the chief executive officer, chief operating officer, and chief financial officer; general counsel, staff attorneys employed by the insured organization; chief information officer; chief security officer; chief privacy officer; manager, and any individual in a substantially similar position as those referenced above, or with substantially similar responsibilities as those referenced above, irrespective of the exact title of such individual and any individual who previously held any of the above referenced positions.

As these two examples demonstrate, the obligations imposed on the insured can vary greatly from policy to policy. Insureds therefore are urged to understand the specific mandates of their policy and implement internal processes to operationalize those requirements.

Prior consent and panel requirements. Cyber policies generally require the insured to obtain the insurer’s consent before expending funds in connection with a covered event. For instance, insurers routinely mandate that the insured obtain the carrier’s “prior written consent” in advance of incurring costs to respond to a breach, claim or ransom demand.

Insureds also should be aware that some cyber insurers specify that the insureds must use preselected “panel” professionals, including attorneys, forensic specialists and notification firms. It’s critical for policyholders to know their carrier’s specific requirements in that regard in advance of suffering a cyber incident and expending funds to retain service providers.

Judy Selby

Judy Selby is the owner of Judy Selby Consulting and assists clients with insurance needs, including cyber insurance. Email her.