November 30, 2017 Practice Points

Key Tips for Policyholders in Cyber Insurance Claims

Policyholders should carefully consider their risks and the scope of coverage afforded to them under a cyber policy

by Sherilyn Pastor

Examine the Scope of Coverage

Policyholders will want to carefully consider their risks and the scope of coverage afforded to them under a cyber policy. The coverage afforded under cyber insurance policies vary. Most policies cover costs relating to investigations, including those relating to administrative and regulatory actions, and they cover fines and penalties. Many cyber policies also cover remediation/crisis management, including the costs associated with a data breach. This can be important as a policyholder is likely to be required, after a breach, to notify those affected and may also be required to provide credit monitoring services. Depending on their risks, policyholders also may want coverage for electronic extortion, network interruption, and/or media liability for risks relating to copyright infringement and other intellectual property issues.

Pay Attention to Coverage Limitations and Exclusions

Policyholders need to be mindful of their policies’ exclusions and limitations.  Some cyber insurance policies, for example, purport to limit coverage to an insured’s acts and omissions. This can present an issue for policyholders that store data on third-party “cloud” networks. Policyholders should determine whether their policies adequately cover acts and omissions of third parties.

Policyholders should also consider limitations on coverage for employees’ personal devices. Many employees are permitted to use their own personal devices for work-related purposes. In such circumstances, policyholders will want to confirm whether and how incidents involving employee-owned devices are covered by their cyber insurance policies. Policyholders may have a gap in coverage if their policies purport to cover only breaches involving computer systems owned by the company insured.

Review Approved Vendors and Legal Counsel

Some cyber policies provide that after a covered event, the policyholder must retain assistance from an approved list of vendors, including forensics accountants, lawyers, advisers and public relations firms. Before purchasing a cyber policy, a policyholder should consider limitations on its right to select breach response vendors and legal counsel that they deem appropriate. If policyholders have preferred vendors, they should have their policies endorsed to include them. They also can purchase coverage that allows them to select and retain companies in their discretion.

By Sherilyn Pastor is with McCarter & English, Newark, New Jersey.


Copyright © 2017, American Bar Association. All rights reserved. This information or any portion thereof may not be copied or disseminated in any form or by any means or downloaded or stored in an electronic database or retrieval system without the express written consent of the American Bar Association. The views expressed in this article are those of the author(s) and do not necessarily reflect the positions or policies of the American Bar Association, the Section of Litigation, this committee, or the employer(s) of the author(s).