As businesses know, a network failure can shut down operations for extended periods of time and data breaches can expose customer information to third parties, potentially subjecting the breached company to class action litigation and regulatory penalties.
The insurance industry has responded by developing cyber insurance specifically designed to address losses resulting from problems with networks and computer systems. Insurers have also taken steps to limit coverage for such losses under more traditional policy forms, like commercial general liability (CGL), directors and officers (D&O) and property insurance. Policyholders should know that cyber insurance comes in many forms, and they can and should shop around and negotiate for the coverage that best suits their needs. Here are 10 tips and traps for policyholders to consider when purchasing cyber insurance:
Know What Is Available
Cyber insurance policies are not standardized and policy forms available in the market vary significantly. Most cyber policies provide both first-party coverage (for loss of or damage to the policyholder’s own property, as well as lost business revenue) and third-party coverage (for the policyholder’s liability to third parties), but the scope of coverage can differ widely from policy to policy.
Common first-party coverages include data breach response costs (including the costs of notifying customers of a data breach, credit monitoring and forensic analysis, and crisis management/public relations services), business interruption costs resulting from network failures, data breaches and ransomware attacks. Common third-party coverages include defense and indemnification for claims customers bring for lost or misused data, the costs of responding to regulatory investigations, and indemnification for regulatory fines or penalties.
“Loss” of Data vs. “Misuse” of Data
Following a data breach, a company may face claims from customers or clients whose data was lost or stolen. Many cyber insurance policies only cover such claims when the stolen data was subsequently “misused” by a third party who came to possess the data. However, policyholders are increasingly facing class action lawsuits based on the mere exposure of data in a breach, with no claim that data was misused. There may be no coverage for such a claim under a policy that requires the “misuse”—and not the mere “loss”— of data. To avoid this gap in coverage, policyholders should seek out or negotiate for policy language that covers third-party claims for data loss.
Data breaches frequently lead to investigations by regulatory agencies, which can impose fines or penalties on a breached company that failed to comply with applicable privacy laws. Many cyber insurance policies provide reimbursement for these regulatory penalties or fines. However, the cost of responding to regulatory investigations—including necessary counsel or vendor fees—is frequently not covered. Policyholders at risk of regulatory investigations should consider pursuing cyber insurance that covers the legal fees and other costs associated with responding to those investigations.
Cyber policies typically exclude losses arising from a breach or event that occurred before a specified “retroactive date,” which is often the effective date of the policy. But by their nature, data breaches can go undetected for a long time. A data breach that is unknown at the inception of a cyber insurance policy can cause significant losses during the policy period, but will not be covered if the breach occurred before the policy’s retroactive date. Carriers are frequently willing to negotiate on retroactive dates and policyholders should push for the earliest dates possible.
What Are You Promising to Do?
Cyber insurers often require the policyholder to attest to the adequacy of its existing network security protocols or agree that it will comply with certain standards during the policy period. Policyholders must be certain that any representations of existing procedures are completely accurate, and that the organization has policies in place to ensure compliance with steps it has agreed to take in the future. If a cyber incident occurs and the insurer finds that the policyholder failed to comply with its representations or warranties, the insurer may deny coverage or even seek rescission of the policy.
Choice of Counsel and Vendors
Most cyber policies pay for the costs of outside vendors needed for cyber incident response or counsel needed to defend a third-party claim. Many policies allow the carrier to choose the vendor or the law firm, or require the policyholder to select from a pre-approved list. When purchasing cyber insurance, policyholders with preferred vendors or counsel should negotiate for the right to use them in the event of a cyber incident.
Whether a particular breach or network failure is covered may depend on a cyber insurance policy’s definition of “network.” Policyholders should make sure that the term is defined broadly enough to cover their specific operations. For example, if the network can be accessed by mobile devices or by third-party vendors, that should be reflected in the definition.
Coverage for Vendor and Rogue Employee Misconduct
Although data breaches are often caused by rogue employees or vendors with access to a company’s network or systems, not all cyber insurance policies cover breaches by employees or vendors. Policyholders at risk of vendor and employee malfeasance should be aware of and seek out this coverage.
Business Interruption: Who Picks the Adjuster?
Cyber policies frequently cover business interruption losses from a network or security incident, with these losses typically calculated by an adjuster. Policyholders should pay attention to the policy’s procedure for selecting the adjuster and be wary of policy language that leaves the choice to the insurer. If the insurer gets to choose the adjuster, policyholders should negotiate for a provision that will fairly resolve disputes between the insurer and the policyholder over loss calculations.
Business Interruption: Third-Party Network Failures?
A policyholder’s business operations can be significantly disrupted by a denial-of-service (DoS) attack on a third party’s servers. For example, a DoS attack on a third-party DNS server can shut down traffic to many other businesses’ sites. Some policies only provide business interruption coverage for attacks on the policyholder’s own network. Policyholders that rely on third-party servers or networks should consider seeking business interruption coverage that extends to losses resulting from third-party server or network failures.
Cameron Argetsinger is special counsel at Kelley Drye & Warren LLP.