Login Register Subscribe
Current Issue

Cyber policies start to show their limitations

Reprints

Policyholders should be aware of potential gaps in their cyber insurance as standardized language is still in the early stages of development and policies can vary greatly in what they do and do not cover.

Experts say because standard policy language has not yet developed for cyber risks, risk managers should watch out for inadequate sublimits and that the insurance is highly unlikely to cover property and bodily injury losses.

The warnings followed what may be the first ruling involving a cyber insurance policy.

In the case, a federal judge in Phoenix ruled against Scottsdale, Arizona-based P.F. Chang's China Bistro Inc. in a coverage dispute with a Chubb Ltd. unit (see story, page 38). P.F. Chang's is appealing the ruling to the 9th U.S. Circuit Court of Appeals in San Francisco.

Cyber policies are not like property policies, which “have been around for 20 years and where the language from one insurance company to another is going to be very, very similar if not identical,” said Patrick X. Fowler, a partner at Snell & Wilmer L.L.P. in Phoenix. “Cyber insurance is a different animal because it is so new.”

“Many companies will have unique risks simply by virtue of the way they conduct business or the type of business they're in or just the overall risk environment that they face,” and customized coverage frequently is necessary, said William Boeck, senior vice president, insurance and claims counsel at Lockton Cos. L.L.C. in Kansas City, Missouri.

“This remains a highly manuscripted world,” said Thomas B. Alleman, a member of law firm Dykema Gossett P.L.L.C. in Dallas. “The market is evolving quickly, and I think the policy forms are evolving quickly.”

Make certain that coverage described on the declaration page of the cyber policy is reflected in the rest of the policy, said Robert Parisi, managing director and national cyber risk practice leader at Marsh L.L.C. in New York. Just looking at the declaration page “doesn't tell the whole story,” he said.

Make certain that exclusions “are appropriately narrow, so they don't take away what you've bargained for,” said Russell P. Cohen, a partner

at Orrick, Herrington & Sutcliffe L.L.P. in San Francisco.

Experts also say buyers should make sure sublimits are adequate.

Breach response costs, including investigation, notification and public relations, “can be subject to separate sublimits and, if (policyholders) don't pay close attention, they may find that they maybe have a $1 million dollar policy” but a sublimit of only $50,000 for notification costs, which can be significant, said Matthew J. Siegel, a member of Cozen O'Connor in Philadelphia.

Stephen D. Raptis, a partner at Manatt, Phelps & Phillips L.L.P. in Washington, said retroactive dates should be checked in the cyber cover and negotiated.

“I've seen more claims denied on that ground in these cyber policies than on any other ground,” Mr. Raptis said of the issue that is a particular problem for first-time buyers. If a cyber event occurred before the issue date, “there's not going to be coverage,” he said.

In addition, some desired cyber coverage may not be available.

“With extremely rare exceptions” bodily injury and property damage are never covered in cyber policies, said Mr. Boeck. “There's lots of debate now about how these losses should be covered, and what policy should respond.”

Another issue insurers are still “trying to wrap their arms around” is reputational and brand damage caused by cyber beaches, said Roberta Anderson, a partner at K&L Gates L.L.P. in Pittsburg, which she anticipates will be offered in the next couple years.

Pointing to the P.F. Chang's ruling, which is of particular significance to retailers, Ms. Anderson said it has become the market standard to cover fees and assessments arising out of contractually-assumed Payment Card Industry Data Security Standards, which was the case here. The better policies “do a good job” of covering these liabilities, she said.

But John C. Pitblado, a shareholder at Carlton Fields Jordan Burt P.A. in Hartford, Connecticut, said the P.F. Chang's case shows policyholders applying for coverage should still ask about contractual liability associated with business partners.

“It's an important issue when it comes to these new cyber policies,” Mr. Pitblado said.