Cyberinsurance coverage terms
Cyber Risks
Cyber attacks have become an almost daily event affecting all sizes and types of businesses. Many businesses are still struggling with basic information security fundamentals as their risk of data breaches continue to increase. Because data tends to migrate to unexpected areas, it must be identified, located, tracked and monitored in order to stay ahead of cybercriminals, cybervandals, and cyberterrorists.
Cybersecurity is an imperative not an option. Every organization with access to the Internet needs to utilize and maintain sophisticated methods to control and track sensitive data and ensure that sensitive data fully encrypted. Security issues will only grow more important each year.
Cybersecurity is not just a technical problem. Cybersecurity is about people, process and technology.
Cost-effective risk management requires separating “critical” data from data with little value if it is lost, compromised, or distributed. The tangible and intangible value of the data — how much damage will occur if it is stolen, exposed, or lost — and the amount of insurance protection which can be purchased are critical factors in creating an effective risk management plan.
Analyzing Cyber risk coverage
Unlike other types of insurance, there is no standard form on which the insurance industry as a whole underwrites cyber coverage.
It is time to take a close look at the protection provided by cyber risk insurance policies—cyberinsurance—as data security incidents continue to increase, media interest intensifies, and government agencies become more actively involved in policing the corporate response.
Although cyber coverage is a relatively new product in the insurance marketplace, policies are being sold under a number of different names, including “cyber risk,” “information security,” “privacy,” and “media liability” coverage. Unlike other types of insurance, there is no standard form on which the insurance industry as a whole underwrites cyber coverage providing challenges to buying coverage but often providing some room for negotiation of the terms.
Policies should include defense from the earliest stages of an investigation, typically including a civil investigative demand or similar request for information from a government agency. Otherwise, legal fees can without any significant constraint and eventually consume the entire policy limits leaving the Company with no insurance to pay the actual claims.
Here are a few considerations which cannot be overlooked during the process of purchasing cyberinsurance.
Third-Party (Liability) Coverages
Privacy liability coverage. A cyberinsurance policy should cover failure to protect confidential information whether it belongs to customers, clients or employees regardless of the cause and should not require an intentional breach. The policy should also cover failure to disclose a breach in accordance with privacy laws.
Regulatory actions. Make sure that any cyberinsurance policies include defense from the earliest stages of investigation by any government agency or regulatory authority. Cyberinsurance policies which require that regulatory and other governmental actions be initiated by a formal “suit” in order to trigger the defense obligation preclude recovery of defense costs incurred during the investigative stage of government actions which often is the most expensive stage for Company. It is also important to make sure that the cyberinsurance policy provides coverage for civil fines and penalties which may be imposed by government agencies and regulatory authorities.
Notification costs. Coverage for the cost of identifying and providing actual notice to individuals who may be affected by a data breach is necessary as individual states promulgate new and not necessarily consistent breach notification laws. Beware of policy endorsements which may limit the number of individuals that must be notified and the method or methods of providing notice. Giving notice of a cybersecurity breach with possible loss of private information to customers, clients, suppliers, and the general public can become a very sensitive matter which the affected organization should control not the insurance carrier.
Crisis management covers the costs of managing the public information and education necessary following a publicly disclosed data breach—the public relations effort. Coverage for the costs of such efforts is essential.
Call centers. Make sure that cyberinsurance covers the cost of setting up, operating, and maintaining the appropriate telephone call centers for as long as necessary after a data breach. Because of the considerable cost associated with data breach call centers, it is important that this coverage is expressly provided together with coverage for the cost of providing credit/identity monitoring to individuals and business entities affected by the data breach. Any limitations on such coverage should be expressly stated.
Transmission of viruses/malicious code. Many cyber attacks involve capturing Company computers for use as “bots”. If the web bot is only used for spamming and distribution of unauthorized advertising messages, there is little risk of liability to third parties. However, if the Company computers are used to transmit viruses, malicious code or malware, then specific coverage for the damages resulting from such transmission and distribution is necessary. Because of the cost of such coverage, every Company should consider appropriate hardware and software protection for its computers in order to prevent them from becoming Web robots and retaining a substantial portion of this risk.
First-Party Coverages
Theft and fraud coverage. This is an area where exclusions from coverage must be carefully analyzed in terms of the expected costs to the Company from loss or destruction of data as well as straightforward theft of Company funds. An area of particular concern should be any policy exclusion which might limit coverage for data breaches which occur by non-electronic means such as password theft.
Forensic investigation. Determining the cause of a data breach resulting in loss of data or compromise of company operations can be very expensive, particularly if the forensic investigation must be completed quickly and identify immediate action to prevent further loss. The details of coverage for forensic investigation costs are an important element to be considered during the negotiations surrounding purchase of any cyberinsurance policy.
Network/business interruption covers the costs of business lost and additional expense due to an interruption of Company computer systems. The most important issue in this kind of coverage is whether the interruption has to be the result of an intentional cyber attack. Not all network and business interruption attributable to computer system failure is the result of intentional cyber attack. Sometimes computer failures just occur or result from mistakes or negligence on the part of Company employees. One of the areas for negotiations of this coverage is the minimum length of time the system must be down before coverage is triggered and the maximum length of time for which coverage will be provided.
Extortion. One of the increasing threats for which insurance coverage is necessary is the cost of and provisions for payment of “cyber ransom” to a hacker, cybercriminal, or cyberterrorist demanding payment to refrain from publicly disclosing or causing damage to confidential electronic data.
Data loss and restoration coverage should also include the cost of diagnosing and repairing the cause of the loss. This kind of coverage is generally subject to a substantial retention or deductible and may be limited as to the causes covered for the data loss. The most obvious excluded cause for data loss is failure to maintain and rigorously adherence to a data backup policy.
Other Key Provisions in cyberinsurance policies
Triggers — “loss or claim”. Cyberinsurance coverage is generally triggered either by an event that results in the loss of data, or a “claim” arising from the event that is made during the policy period. The Company must consider whether to purchase a “claims-made” or a “loss” type policy.
Trigger — defense. In many cyberinsurance policies, the defense obligation is triggered by a “suit,” and requires that a lawsuit has been filed or at least some written demand has been made against the insured Company. This definition may preclude defense of a claim that has yet to ripen into a lawsuit or written demand and where much of the defense costs may be incurred, particularly with respect to government agency or regulatory authority actions prior to filing a civil action or commencing an administrative proceeding.
Retroactive coverage. Cyberinsurance policies often contain a “retroactive date.” Losses arising from events which occured prior to the retroactive date will not be covered.
Acts and omissions of third parties, particularly vendors, are generally not covered even when not expressly excluded. The area of greatest concern today is about the vendors who maintain Company confidential information in the “cloud.” Before committing Company confidential information to the “cloud”, the company should obtain a certificate of insurance from the cloud vendor covering damage to the Company and insist upon reviewing the actual policy on which the certificate of insurance was issued; otherwise the Company should make sure that its own cyberinsurance policy covers any losses caused by third parties such as vendors of cloud services.
Self-insured retention or deductible language applicable to third-party coverage should expressly declare that any payments made by the third party indemnifying the company for loss sustained by the breach may be applied directly toward satisfaction of the retention.
Coverage for unencrypted devices. Many cyberinsurance policies exclude coverage for data lost from unencrypted devices. The problem arises with the definition of an “unencrypted device.” Most devices now require some kind of login identification and password protection before they can be operated. The issues arise in the area between the login permitting access to the device and the opening of a program such as a word processor, a spreadsheet, or an email account. It is in this area that many cyberattacks occur. While good cybersecurity practice requires another login and entry of a password to access a program, in many organizations this is not an absolute requirement restricting access.
Coverage for corporations and other entities. Make sure that the definition of “covered persons” includes not only natural persons, but also corporations and other business entities which may be affected by a data breach.
Policy territory–occurrences outside the United States. Coverage should also include loss or theft of electronic devices such as laptops, smart phones, PDAs and other electronic devices containing confidential information while traveling outside the United States.
Location of security failure. Coverage under some cyberinsurance policies is limited to loss of data from company premises; however, as the Veterans Administration has learned, the loss of data can be the result of loss or theft of a device from an airport or the home of an employee.
Exclusions for generalized acts or omissions. Some cyberinsurance policies exclude coverage for losses arising from: “shortcomings in security of which the insured was aware prior to the inception of coverage”; failure to take reasonable steps to design, maintain and upgrade security; and certain failures of security software. These exclusion clauses are so broad and lacking in adequate definition they should be rejected out of hand or substantially renegotiated.
Exclusions for acts of terrorism or war. The classic exclusion for acts of war and terrorism which is found in most comprehensive general liability policies is not appropriate for a cyberinsurance policy where the damage can be the result of some foreign state-sponsored action or cyber terrorism. If the carrier is unwilling to except the risk for acts of terrorism or war, special coverage for such acts should be purchased.
Insurance counsel and possible conflicts
Defense — choice of counsel. Since the substantial legal costs likely to be associated with a significant data breach can exceed the limits of the policy, the insured Company should maintain substantive input in the choice and management of counsel. Beware of any policy provisions which cover defense costs only to the extent that they are incurred by a law firm chosen by the insurance carrier. Although the insurance carrier is free to cap the cost of legal defense, it should not be permitted to dictate the choice of counsel. Only the Company is in the position to determine whether the attorneys representing its interests are appropriate.
There is always at least the appearance of an inherent conflict of interest between counsel chosen by the insurance carrier to represent an insured and the insurance company paying their bills. The same is true with respect to the attorneys chosen by the insured ostensibly to represent the interests of the insured and the insurance carrier which is paying their legal fees.
Many attorneys overlook the fact that the relationship between an insurance company and the insured after a claim is made is by its very nature an adversary relationship and it has to be treated as such.
The rules of engagement after a claim is made must be clearly set forth in the terms of the actual cyberinsurance policy. Otherwise, litigation is likely to follow between the insured Company and its insurance carrier. Such litigation is often expensive and time-consuming even when it only seeks a declaratory judgment on coverage.
A more balanced “choice of counsel” clause would be, “The insured and the insurer shall mutually agree on defense counsel and if they cannot agree, the insured shall choose counsel for which the insurer shall pay up to a [cap or limit] with billing in accordance with the following [defined fee schedule]”.
The information on this page has been adapted from articles by Tom Starner and Steve Raptis during March which appeared in Risk & Insurance online magazine.