Insurers have a number of tools to manage and limit risk. For example, cyberinsurance policies might exclude particular losses, such as those involving unencrypted data. Insurers could require the policyholder to implement particular safeguards during the policy period to lessen the risk of data breach or loss, and a failure to comply might void the coverage.
If the policyholder misrepresented its data management procedures in the underwriting process, a carrier could attempt to rescind a policy even if there were no causal relationship between the misrepresentation and the insured’s loss.
Few reported coverage cases address exclusions and warranties in cyberinsurance. However, authorities outside the cyber context provide some guidance about how these clauses could be interpreted and enforced. The impact on coverage can vary significantly, depending upon the type of clause or representation at issue.
Misrepresentations or Concealments
Misrepresentations or concealments of material facts in the underwriting process may entitle an insurer to rescind cyberinsurance from inception. Usually, no intent to defraud is required—an insurer may rescind even if the insured’s conduct was unintentional or negligent.
The insurer must show that the misrepresentation or concealment involved a material fact, but this is not a high threshold. Representations are material if truthful answers would have caused the underwriter to reject the application, amend policy terms or simply charge higher premiums. In most cases, the fact that the insurer asked about certain data security measures on the application, for example, may be sufficient proof that the insurer deemed the answers material.
Most jurisdictions do not require the insurer to establish a causal connection between the misrepresentation and any loss the insured later claims. Thus, a policyholder’s material misrepresentation about its antivirus software might entitle an insurer to rescind a cybersecurity policy from inception, despite the fact that a data breach had nothing to do with malicious codes or malware.
An “affirmative warranty” is a factual representation the insured makes in the policy itself. Statements in an application are warranties if the application is attached to the policy or incorporated by reference. Like misrepresentations, a breach of warranty voids the policy from inception if the warranty materially affected the insured risk.
But showing materiality is not always required with warranties. Depending on the jurisdiction and the policy language, the breach of an immaterial warranty might void a policy. Many cyberinsurance policies expressly state that all answers on the application are truthful and are deemed material. The plain intent of these provisions it to eliminate the need to litigate the materiality of the insured’s warranties.
As a practical matter, whether statements about the insured’s data security are affirmative warranties or mere representations usually has little impact on a coverage dispute. Since answers about a company’s data management bear directly on the risk being insured, the insurer probably would have little difficulty establishing that the answers were material.
A warranty can also relate to future events. An insured’s promise to maintain certain data security measures—such as data encryption, password protocols or regularly installed security patches—are enforceable as “promissory warranties.”
Typically, an insured’s negligence in contributing to a covered loss does not excuse the insurer’s obligation to pay. But the rule is different with warranties—the insured’s failure to comply with a warranty might void coverage even if the insured’s act or omission was merely negligent.
As with misrepresentations of fact, the insurer does not have to establish a causal connection between the breach and the loss. It is sufficient that the breach of a promissory warranty increased the covered risk and that this increased risk existed at the time of loss.
In one case, an insured warranted that there would be no firearms on its premises. The court held that the insured’s breach of this warranty voided coverage and that the insurer had no obligation to establish a causal connection between the breach and loss.
Similarly, the Ninth Circuit held that there was no coverage for damages from a jet crash where an airline failed to require second-in-command pilots to adhere to the training regimen outlined in the policy. It did not matter that the chief pilot had the required training or that the missed training might not have prevented the accident.
Because promissory warranties limit or void coverage, any ambiguity in policy language will be construed against the insurer. If the clause’s applicability is uncertain in any respect, a court most likely will interpret the provision in favor of coverage.
Few cyberinsurance policies contain promissory warranties. Instead, most insurers choose to limit risk through exclusions, which are more restricted in scope. But as data breaches become more prevalent and costly, it is conceivable that insurers may start to use these provisions more often.
If a policy contains a promise to implement a particular safeguard during the policy period, the policyholder should strictly comply with the requirement, as substantial compliance might not be enough.
Like all policies, cyberinsurance excludes particular risks. Typical clauses may preclude coverage for damages involving unencrypted data, or eliminate coverage for losses arising from the insured’s failure to reasonably maintain, upgrade and update its computer system.
It remains to be seen how courts will interpret requirements to “reasonably” maintain a computer system. As phrased, the exclusion conceivably could bar coverage for the insured’s simple negligence in preventing a data breach. Outside the cyber context, courts have enforced provisions that void coverage for the insured’s failure to install or maintain reasonable safeguards to lessen the risk of loss.
Because exclusions limit coverage, ambiguity in any requirement to maintain or update a computer system or to implement particular safeguards would be construed against the insurer. Whether a clause is enforceable may vary depending on other policy language and the particular circumstances of each case—an exclusion to maintain “reasonable safeguards” might be ambiguous as applied in one factual context but unambiguous in another.
Exclusions have a more limited reach than promissory warranties. Unlike with a promissory warranty, triggering an exclusion does not void insurance altogether. There simply would be no coverage for that particular loss.
The insurer must also establish some connection between the loss and the excluded risk. The necessary connection will depend on how a particular jurisdiction construes “relating to,” “in connection with,” or “arising out of” language in exclusions. In many jurisdictions, only a “minimal” relationship between the loss and excluded risk needs to exist for coverage to be barred.
As these standards make clear, policyholders need to take special care when answering questions about data security measures, particularly in the application process. Policyholders should also strictly comply with any promissory warranties. An insured could have defenses to rescission or a claim denial, such as ambiguities in policy language or waiver or estoppel arguments. The requirements for rescinding insurance are not especially difficult to meet, however, and a breach could result in a total loss of coverage.