chevron-down Created with Sketch Beta.
    January 31, 2023 Practice Points

    Four Tips to Avoid Denial of Cyber Insurance Coverage for a Data Breach

    Steps to take now to be sure you and your clients are covered by your cyber liability insurance.

    By Robert Wilkins

    Most law firms and clients have cyber liability insurance. Cyber insurance policies provide broad coverage for cyber extortion, data restoration, public relations, computer fraud, business interruption, regulatory compliance, and related risks. However, having coverage is one thing; keeping it is another. The coverage under a policy depends on the representations the insured makes in its application and its subsequent compliance with them. One of the biggest reasons for coverage denial are misrepresentations, omissions or incorrect statements in the insured’s application for the policy, or the failure to notify the insurer of any material changes in its security practices.

    A typical application for cyber liability insurance will contain a privacy and security liability questionnaire, as well as a section on information security. According to an August 2022 Fitch Ratings Report, some of the key items insurance providers require for coverage include the use of multifactor authentication, employee training on phishing and other types of cyberattacks, strength-of-password requirements, regulatory reporting obligations, as well as an assessment of the quality of the insured’s incident-response plan and penetration testing. The insured’s compliance with the requirements is required to keep the coverage.

    The Hole in the Cyber Insurance Net

    There is a hole in the cyber insurance net that stems from the insured’s inadvertent (hopefully not intentional) failure to understand its security measures and maintain them throughout the life of the policy. Unfortunately, too many insureds—law firms included—do not have a written information security policy (WISP) that sets forth the procedures for evaluating its electronic and physical methods for accessing, collecting, storing and protecting its data. Unless you know what you have and where it is located, it’s hard to know what you need to protect.

    An insured’s failure to fully understand its data security practices and procedures can lead to material misrepresentations, omissions, and incorrect statements in the application for insurance. The consequences of misstatements or omissions in the policy application cannot be understated. Unfortunately, one business that had a large data breach suffered those consequences when it was denied coverage and had its policy rescinded.

    In Travelers Prop. Cas. Co. v. Int’l Control Servs., Inc., 2:22-cv-02145, complaint filed, 2022 WL 2532994 (C.D. Ill. July 6, 2022), Travelers sought to rescind its cyber liability coverage of the insured, International Control Services (ICS), because of material misrepresentations allegedly made by the insured in connection with its application for the policy. The insured had represented that “to the best of [its] knowledge and belief, and after reasonable inquiry, the statements provided in response to this Application are true and complete … . (Id.). Travelers’ success in rescinding the policy was based on the fact that ICS, in its policy application, stated (and signed a separate attestation) that it required multifactor authentication to gain administrative access to its data. Upon investigation, Travelers determined that ICS misrepresented the scope of its authentication process, resulting in the breach. The parties agreed to rescind the policy and the lawsuit was dismissed with prejudice by a stipulated order.

    The Travelers case clearly establishes the consequences of an insured’s failure to follow the policies and procedures claimed in its application. In fact, most insurance policies have a specific exclusion that precludes coverage for claims arising from the policyholder’s failure to maintain adequate security standards. As a result, insureds must regularly monitor, update, and test all cybersecurity requirements mandated in their policy.

    The increase in data breaches, the costs resulting from them (which can include potential criminal and regulatory liability), the security measures and representations required by some law firm clients (banks in particular) and insurance companies, and the need to stay abreast of constantly changing threats, demand that law firms (and their clients) implement and closely monitor cybersecurity policies and practices. Best practices require at least an annual review of the written information security policies and practices.

    Cybersecurity Checklist

    Read your cybersecurity insurance policy application and representations to confirm each representation is accurate.

    • Update your policies and practices to stay on top of changes and innovations in data security.
    • Train and test your employees in data security practices and potential breaches, especially phishing schemes.
    • Keep an open line of communication with your insurance provider and follow its recommendations regarding cybersecurity. Consider having an outside vendor run penetration tests of your data security systems.

    The bottom line: data breaches may be inevitable, but diligence and preparation can mitigate both their financial and reputational impact.

    Robert Wilkins is a litigation shareholder at Jones Foster P.A. in West Palm Beach, Florida.

    Entity:
    Topic:
    The material in all ABA publications is copyrighted and may be reprinted by permission only. Request reprint permission here.

    Copyright © 2023, American Bar Association. All rights reserved. This information or any portion thereof may not be copied or disseminated in any form or by any means or downloaded or stored in an electronic database or retrieval system without the express written consent of the American Bar Association. The views expressed in this article are those of the author(s) and do not necessarily reflect the positions or policies of the American Bar Association, the Litigation Section, this committee, or the employer(s) of the author(s).