Read the small print when buying cyber coverReprints
As insurers exclude cyber coverage from commercial general liability policies, it's critical for buyers to use a keen eye for details such as sublimits and exclusions when transitioning to a stand-alone cyber policy, says Collin Hite of law firm Hirschler Fleischer.
Data breaches continue to escalate and garner national attention. While 2014 may be known as the worst year yet for data breaches, 2015 is off to a major start. The situation is getting so bad that businesses large and small are finally realizing that the question is not if they will get breached, but when. And the sheer number of high-profile breaches in the past year reminds policyholders that cyber coverage is a critical part of any insurance program.
In response to the continually growing risk of loss from cyber and privacy violations, insurers are reacting in two ways. First, most are now excluding cyber risks from more traditional insurance policies, such as commercial general liability or errors & omissions.
Second, they are racing into the market with new products aimed at providing specialized coverage for such losses. Estimates are that data breach policies are changing every six months to keep pace with the size of the risk and exposure.
CGL isn't for cyber coverage
Just as insurers reacted to CGL policies providing coverage for environmental exposures, they are now doing so with respect to cyber losses.
In 2014, the Insurance Services Office introduced several new endorsements addressing access or disclosure of confidential or personal data. These endorsements will strip most, if not all, coverage for data-related losses from CGL policies.
The losses that are excluded could cripple a business with response and rebuilding expenses related to their network infrastructure. These endorsements are already showing up in most renewals.
A true cyber policy is best
In obtaining cyber insurance for losses, it's critical that businesses understand the full scope of the coverage. Insurance to protect your property and network can include: 1) computer data restoration; 2) re-securing a company's information network; 3) theft and fraud coverage; 4) business interruption; 5) forensic investigations; 6) crisis and public relations management; and 7) extortion. Coverage attorneys note that first-party losses are usually the highest costs to a business suffering a cyber attack, so adequate coverage in this area is vital.
Organizations also need liability coverage. Of course, most coverage in this area will provide for a defense to litigation brought by customers for their direct losses due to a breach. However, insurance may also cover: 1) Payment card industry-data security standard liability; 2) credit monitoring for customers; 3) the cost associated with notifying customers of a breach; 4) media and privacy liability; and 5) responses to regulatory investigations. Policyholders can obtain difference in conditions coverage under certain aspects of first- and third-party coverages.
Today, “cyber” can be a misnomer for the breadth of coverage available.
However, the policy forms among the insurance carriers vary tremendously, and policyholders must be vigilant to ensure they purchase the right coverage. Policyholders must look well beyond the declarations page and coverage grant when considering this type of insurance. Though those are obviously important, the devil is in the details.
Here are some important areas to consider:
• Watch the sublimits. While many policyholders have a far better understanding of standard CGL and property coverage, it remains critical for them to to truly understand the nature of a cyber policy being added into their insurance program. It is not uncommon for the most expensive and necessary aspects of coverage to have the lowest sublimits. Policyholders have to understand their risk and the costs for responding to a breach, then make sure the sublimits are appropriate for them.
• The definitions matter. Because insurers all use different forms for data breach and privacy insurance, the definitions in the policy are critical to the scope of coverage. For example, how does the policy define “computer system?” That definition may make all the difference in whether there is coverage or not. The same is true for “wrongful act” and a host of other terms that are highly specific to the insurer's forms. Remember, data breaches can take all forms of attack so you need the policy to account for them.
• Exclusions apply. No surprise, these policies also contain a litany of exclusions. A prospective buyer of cyber insurance must pay particular attention to them. Match the exclusions with the numerous definitions, and it becomes easy to see how tough it can be to have coverage at the end of the day. That does not mean such insurance is not critical — it is. But, a prospective buyer must be hypervigilant to determine what the policy offers against the risks, and negotiate like the devil for better terms.
• It's cool to be retro. A survey by cyber security firm Mandiant, a FireEye company, noted that in 2013 the average number of days a hacker is in your system before discovery is 229. Of course, many businesses continue to struggle with detecting a breach. This means you need a retroactive date of at least a year to ensure coverage for this lag. Ideally, a policyholder would want a minimum of two years, if possible.
• The value of the vendors. One of the main selling points of such insurance is that the insurers bring all the resources to the table. The insurers will have forensic information technology
vendors to assist in closing the breach. They have credit monitoring and public relations experts. The goal is that one call to your insurer after a data breach will immediately marshal these resources. But, do you know these vendors, and will they do more harm than good for you? Policyholders should vet the vendors to determine whether they are best in class or negotiate on the issue.
Time spent upfront on an in-depth analysis when considering such insurance may prevent the type of fight many policyholders are facing to get the coverage they paid for from their insurer. Working closely with your broker and coverage counsel may seem tedious, but ensuring the correct coverage can prevent unwanted litigation after the fact.
Collin Hite is the practice leader of the insurance recovery team in Hirschler Fleischer's Richmond, Virginia, office. He handles insurance recovery and coverage litigation nationally, as well as providing insurance policy and program audits for policyholders. He can be reached at 804-771-9595 or firstname.lastname@example.org.