chevron-down Created with Sketch Beta.
January 22, 2018 Articles

Kicking the Tires on a New Cyber Policy: Top Tips and Traps

It takes both expertise and care to spot the traps or coverage gaps that may lurk in any cyber policy form

by John G. Buchanan and Marialuisa S. Gallozzi

A cyber insurance policy is an increasingly essential element in the enterprise risk management toolkit. But a first-time cyber insurance purchaser may be hard put to understand what coverage the insurer is selling and whether that coverage is a proper fit for its own risk profile. With little standardization among cyber policies’ wordings, confusing labels for their covered perils, and minimal interpretive guidance from the case law to date, a cyber insurance buyer trying to evaluate a new proposed policy may hardly know where to focus first.

The following are our nominees for the top 10 issues that prospective cyber insureds should focus on when they review a new cyber policy—or even the renewal of an old one.

1) Push your limits. Although total cyber limits up to $500 million are reportedly available in the insurance marketplace, many major companies’ cyber programs top out far lower. Trap: One lesson from our experience pursuing claims for historically major data breaches over the past decade is that even higher-than-average limits of $100 million fall far short of the total losses arising from a significant cyber-attack. Tip: If your principal concern is protection against catastrophic cyber exposures, then consider a higher self-insured retention and build the highest tower of limits above that retention that you can afford.

2) Beware of sublimits. Many cyber policies cap particular categories of loss at amounts less than the total policy limit. For example, some insurers sublimit coverage for regulatory and Payment Card Industry (PCI) expenses. In a claim for a major payment card breach, these sublimits can generate disputes over how various expenses are characterized and can complicate the timing and presentation of losses. Tip: Some primary insurers are willing to set full-policy limits for all or most of the coverage grants principally involved in a typical data breach. Negotiate as few sublimits as commercially feasible. Trap: Some proposed endorsements purporting to cover ransomware (such as this year’s WannaCry worm) are effectively exclusions masquerading as coverage grants with small sublimits. Ransomware already falls within the scope of “cyber extortion” coverage grants in many cyber forms; don’t accept a ransomware-specific endorsement without reviewing both the policy and the endorsement carefully. Tip: If you must accept a sublimit on a risk, check the “exhaustion of underlying insurance” provisions in your excess cyber policies, a) to determine whether they provide excess coverage for the sublimited risk, and b) if so, to make sure that such coverage “drops down” to the sublimited dollar level. Otherwise, even though you thought you’d bought excess protection, an excess insurer might assert that you must pay a coverage gap between the sublimit of a lower-level policy and the attachment point of its excess policy.

3) Push back the Retro Date. Network intrusions are often latent injuries: a hacker may be lurking on your system for months or even years before you discover the breach. Most cyber policies exclude loss arising from events happening before a specified “retroactive date,” regardless of when loss is discovered. Tip: The default setting for the retro date is the first inception date of cyber coverage, but some insurers are willing to set it up to a year earlier. Negotiate the earliest retro date you can. Trap: Forensic investigation after a breach may determine that the first network intrusion took place long before anyone initially expected—and if it’s before the retro date, a cyber insurer might deny further coverage for the claim. Tip: Under the “potentiality” standard that governs the duty to defend in most jurisdictions, the costs of defense and investigation that an insured has incurred before definitive confirmation of the first network intrusion date would be covered. Those early defense costs can be significant.

4) Reject “human error” exclusions. The Cottage Health litigation is a cautionary tale. See Columbia Cas. Co. v. Cottage Health Sys., No. 2:16-cv-03759 (C.D. Cal. filed May 31, 2016), appeal of stay pending, No. 16-56872 (9th Cir.); Cottage Health Sys. v. Columbia Cas. Co., No. 16CV02310 (Cal. Super., Santa Barbara Cty. filed May 7, 2015). The insurer’s complaint there alleged that the “failure to follow minimum required practices” exclusion in its cyber policy—applying to losses from, among other things, the Insured’s failure “to continuously implement the procedures and risk controls identified in the Insured’s application”—precluded coverage for Cottage Health’s losses from a data breach. Trap: The most common root cause of data breaches is simple human error, such as an employee’s or outsourced IT vendor’s failure to adhere perfectly to your cybersecurity policies and procedures. An exclusion such as the one relied upon by the insurer in Cottage Health could gut the protection expected from cyber insurance. Tip: Exclusions for “failure to follow minimum required practices” do not appear in other major insurers’ cyber forms. If you see such a “human error”-type exclusion in the policy an insurer is offering, ask that it be deleted—or shop elsewhere.

5) Get your cyber application right. Cyber-risk insurance applications typically consist of detailed and highly technical questionnaires, and many cyber policy forms expressly recite that statements in the application (and sometimes even prior policies’ applications) are incorporated by reference into the policy, material to the risk, and relied upon in issuing the policy. Trap: An insurer bent on denying a claim may pore through those questionnaires looking for misstatements that might provide a basis to void the policy. For example, the insurer’s complaint in Cottage Health alleged that misstatements in the “risk control self assessment” in the insured’s cyber insurance application provided grounds to rescind the policy. Tip: The application process is a multi-disciplinary exercise. The company’s legal department—with the assistance of outside counsel as needed—should play an active role in coordinating both IT and risk management functions’ contributions to the cyber application, while also managing the privilege concerns that may arise from required disclosures of prior cyber incidents. All participants should be alert for over-broad or otherwise unreasonable reps or warranties in standard cyber application forms: for example, in light of recent reports on “Spectre”—an alleged chip bug inherent in most computing devices—it would be unrealistic to require an insured to represent that its computer system contains no known security vulnerabilities.

6) Understand your liability exposure, and your coverage, for payment cards. The P.F. Chang’s case is another cautionary tale. See P.F. Chang's China Bistro, Inc. v. Fed. Ins. Co., No. CV-15-01322-PHX-SMM, 2016 WL 3055111 (D. Ariz. May 31, 2016), appeal dismissed, No. 16-1614 (9th Cir. Jan. 27, 2017). Many retailers do not process payment card transactions directly, but instead contract out the processing function to an intermediary. After a payment card data breach, the card brands may impose payment card industry (PCI) fines and penalties on the card processor. But—as happened in the P.F. Chang’s case—the card processor’s service contract in turn may require the retailer to indemnify the processor for the PCI assessments. When P.F. Chang’s sought coverage for its indemnification liability under its cyber policy, the court held that the policy’s coverage grant did not cover PCI assessments imposed on the card processor. It also held that an unusually broad contract exclusion applied to the indemnity claim. Trap: When someone else handles your payment card processing, you might assume the extra-cost PCI coverage in a cyber policy is unnecessary protection. The ruling in P.F. Chang’s demonstrates that any such assumption, though reasonable, may be wrong. Tip: Discuss your direct and indirect liability exposures for payment cards with counsel, brokers, and underwriters when placing a cyber policy. Make sure the policy’s terms provide the protection you reasonably expect for those exposures in the event of a payment card breach.   

7) Know what kind of defense coverage you’ll get. Most cyber policies cover the costs of defending the insured against claims by third parties; but how they achieve that result may differ. Some policies give the insurer the right and duty to defend, and to control the defense, as in standard general liability policies. Others reimburse the costs of a defense primarily controlled by the insured, as in most directors and officers (D&O) policies. Some cover defense costs in addition to limits; most are “wasting policies,” where costs erode the overall policy limits. Trap: In the wake of a suspected cyber incident, you may immediately retain counsel whose privacy or cybersecurity expertise you have previously relied on, even before determining whether the incident warrants disclosure to regulators and notice to insurers. A cyber insurer might later refuse to consent to your chosen counsel, insisting instead that you select either its designated “panel counsel” or other counsel favored by the insurer but unfamiliar with your company. Tip: To avoid a counsel-selection clash that could distract from the urgent business of mounting a proper defense after a major data breach, try to reach an advance agreement on your preferred cyber defense firms, through either a separate endorsement or an amendment to the insurer’s standard “panel counsel” endorsement.

8) Make sure you get the regulatory coverage you need. Many cyber policies cover costs incurred in connection with regulatory proceedings; but a key question is when in the course of the regulatory process is there a claim by a regulator that activates the insurance coverage? Trap: Some definitions of a covered “claim” in cyber forms borrow language from D&O policies, which may cover formal regulatory or investigatory proceedings, but not the “informal” government inquiries and investigations that commonly follow a data breach. Tip: Make sure the definitions relating to regulatory coverage in an insurer’s proposed cyber policy are broad enough to include the costs of responding to regulators’ informal information requests as well as more formal regulatory proceedings. If not, request the more favorable regulatory coverage wordings available from other major cyber insurers—or shop elsewhere.

9) Mind the (coverage) gap, please. A policyholder must look across its entire insurance portfolio to consider whether and where significant gaps may exist. The connectedness of the internet of things is a prime example of the potential disconnectedness among common insurance programs. Most cyber policies exclude physical bodily injury and property damage. Traditionally, such physical harms were covered under conventional property policies and general liability policies. Trap: Over the past decade, cyber-related exclusions or restrictions have proliferated in standard property and liability policies, casting at least a shadow of doubt upon their coverage for cyber-caused physical harms. See, e.g., J. Buchanan & D. Cho, “When Things Get Hacked: Coverage for Cyber-Physical Risks.” Tip: Major first-party property insurers now commonly offer cyber-related coverage extensions. More recently, specialty policies covering liability for “cyber-physical” losses have entered the marketplace. If the internet of things or networked industrial control systems play any part in your operations, carefully explore both your current property and liability programs and these gap-filling alternatives.

10) And don’t forget “other people’s insurance.” Your own cyber policy must fit into your larger ecosystem of risk management arrangements. Under typical vendor or service contracts, counter-parties may be required both to indemnify you for cyber-related losses and to procure cyber insurance, both for themselves and for your company as an additional insured (AI). Tip: Check the “other insurance” clause in your cyber policy to determine whose policy will apply first if you are an AI under another party’s cyber policy. Trap: A certificate of insurance from a contracting party’s broker is not the same as the policy itself. Especially with cyber policies, which vary widely in their terms, the certificate may not accurately state either the scope of the other party’s coverage or your status under their policy. Tip: Implement internal risk management procedures for “other people’s insurance”: request and promptly review the policies required under insurance procurement clauses in all contracts; calendar those policies’ renewal dates and identify any changes in coverage; and notify the other party’s insurer in the event of a cyber incident.

Of course, this Top 10 list is far from exhaustive. But the moral of the story is this: it takes both expertise and care to spot the traps or coverage gaps that may lurk in any cyber policy form. It will pay to kick the tires before you buy.

Note: The views herein are those of the authors, not their employer or clients.

John Buchanan and Marialuisa Gallozzi are with Covington & Burling, LLP, Washington, DC.

Copyright © 2018, American Bar Association. All rights reserved. This information or any portion thereof may not be copied or disseminated in any form or by any means or downloaded or stored in an electronic database or retrieval system without the express written consent of the American Bar Association. The views expressed in this article are those of the author(s) and do not necessarily reflect the positions or policies of the American Bar Association, the Section of Litigation, this committee, or the employer(s) of the author(s).