Although the specifics of coverage will change, cyber-insurance policies generally provide two forms of protection: (1) third-party liability coverage, i.e., amounts paid in defending or resolving claims by third parties; and (2) first-party coverage, i.e., the business’s own losses.
Legal departments should consider the risk of third-party claims broadly and look for cyber policies to provide coverage for (1) lawsuits and written demands from customers or suppliers resulting from a cyber breach, (2) liability for regulatory claims, and (3) online media liability for claims alleging that the organization’s website contains defamatory or infringing statements. The potential liabilities are constantly evolving. Recently, there has been an increasing risk of regulatory claims in light of the European Union’s implementation of the General Data Protection Regulation and the U.S. Securities and Exchange Commission’s push toward investigations of and fines for companies that fail to disclose cyber events.
For first-party coverage, policyholders should focus on breach-response costs, business-interruption costs, and costs for data loss and restoration. In addition, businesses that collect payment cards should ensure that coverage extends to payment-card-industry fines or fees imposed by bank or credit card companies for failing to comply with security requirements.
Given that cyber risks change rapidly, coverage provided by these policies necessitate regular updating. For example, in 2017 and 2018, ransomware attacks and social engineering attacks were the most common cyberattacks, but other risks are anticipated in the years ahead. Companies must remain vigilant for what comes next.
What’s Not Covered
Just as the scope of coverage varies from cyber policy to cyber policy, exclusions likewise vary by policy form. Although the language of exclusions in different policy forms is not identical, common exclusions and limitations to review in cyber-insurance policies include intentional, dishonest, or fraudulent acts; civil fines and penalties; acts of war or terrorism; and prior knowledge and/or retroactive coverage.
Cyber policies frequently include exclusions for intentional, dishonest, or fraudulent acts. For a narrow exclusion, policyholders should seek an exclusion that is applicable only upon a final, nonappealable determination of a court in the underlying action.
In addition, cyber policies often include limitations on civil fines and penalties. Such limitations on coverage for fines and penalties may be in the form of a stand-alone exclusion or a carveout from the loss definition. Policyholders should avoid these limitations if possible because civil fines and penalties are one of the types of costs that a policyholder is most susceptible to incur following a data breach. Some carriers will make modifications to preserve coverage for civil penalties while excluding coverage for criminal fines and penalties.
Furthermore, some cyber-insurance policies bar coverage for loss resulting from acts of war or terrorism. Given that state actors sometimes are the culprits, policyholders should seek policies that do not have such an exclusion or that limit the exclusion to narrow factual scenarios.
Finally, most cyber policies exclude loss arising from events occurring before a specified “retroactive date,” regardless of when a claim is made or a loss is discovered. Policyholders should negotiate the earliest retroactive date possible. The problem is that events thought to be minor events can, in fact, be catastrophic. Sometimes hackers may be hidden inside a company’s system for months. Other times, companies will learn about a cyber event but not appreciate the scope of the damage. Legal departments should protect their organizations from these contingencies.
How to Preserve Coverage for Claims and Losses
Preserving coverage for claims and losses is more than just a matter of buying cyber insurance. It also involves steps that companies should take before purchasing the insurance and after experiencing a cyber loss.
Before purchasing cyber insurance, companies must understand the underwriting process and beware of sublimits.
The underwriting process for cyber liability insurance is detailed and comprehensive. Policyholders should provide thoughtful and accurate information during this process because some cyber-insurance companies have asserted misrepresentation as a coverage defense following a data breach. Cyber-policy applications typically require the applicants to, among other things, attach their most recent financial statements; answer questions about their practices in connection with vendor contracts; provide information about whether they are compliant with payment-card-industry data-security standards; and provide information about the type of data they collect. Cyber-policy applications also seek information about any prior data breaches that the company has experienced. In addition to careful completion of these tasks, prudent policyholders will take steps at the front end of the underwriting process to reduce premiums, such as providing additional information where application questions are vague, working with brokers and consultants who understand cyber coverage and technology-related issues, and involving individuals from the information-security department to ensure that responses about security practices are accurate.
Furthermore, in some instances, sublimits in endorsements may add coverage that does not exist; but, in many instances, insurers add sublimits that actually reduce coverage already provided. In-house counsel should carefully review sublimited coverage to ensure (1) that it is not reducing coverage that the policy otherwise would have provided and (2) that it is sufficient to address the organization’s risk and potential exposure.
In addition to steps taken before purchasing insurance, companies must understand what to do in the event of a loss or breach. Focused legal departments will have a plan before a loss occurs. Many companies retain a SWAT team—consisting of a cyber coach, attorneys, forensic accountants, and engineers—to take action in the event of a breach. During underwriting, policyholders should ensure that this preferred SWAT team is approved for use by the insurer. In the aftermath of a breach or a loss, policyholders should have coverage counsel in place that will assess which insurance policies may respond, provide notice to applicable insurers as required under the policies, and document corporate losses in a manner that maximizes the likelihood of payment. The worst-case scenario is both to have a cyber loss and to fail to properly access and maximize insurance.
Insurance must be a part of every company’s plan to deal with cyber risks. Due to the sheer number and complexity of cyber-insurance policies, companies should carefully vet policies to understand what is covered and what is excluded. In addition, companies should take steps before purchasing insurance and after a loss to preserve coverage for their claims.
Joseph M. Saka is counsel with Lowenstein Sandler LLP in the firm’s Washington, D.C., office.