Coverage for cyber incidents can still be found in policies besides cyber and companies should seek these out, a policyholder attorney said Wednesday at the Risk & Insurance Management Society’s TechRisk/RiskTech conference.

“In most instances, having standalone cyber coverage has proven to provide the most comprehensive coverage in the cyber realm” and insurers have made an effort to eliminate so-called “silent” cyber coverage in other policies, said Peter A. Halprin, a partner with Pasich LLP in New York. Nevertheless, coverage can be found in property, employment practice liability and directors & officers insurance policies, he said.

Mr. Halprin said he has been able to find coverage for clients under property policies when there was a meltdown of computer systems for unknown reasons; under employment practices liability coverage when a client whose employee records were breached was sued for alleged privacy violations; and under directors and officers liability coverage, with company boards now under an increased onus to be responsive to cyber issues.

“It is really important to read your policies” to get a “holistic” sense of where there might be coverage for cyber incidents.

Mr. Halprin said companies should have a response plan in place if there is a cyber incident and know what each person does. There must be people internally and externally who manage issues including those that are legal and insurance related, “so you can hit the ground running,” he said.

Companies should also be mindful of timing requirements for proof of loss, he said. In one case, an insurer offered 60 hours of post-breach preventive services, but the client belatedly learned the offer had to be taken up within a month of the cyber incident.

Companies should also take charge of the claims process, Mr. Halprin said. If a policy says a company has six months to submit a proof of loss but it thinks it needs more time, the business should ask for it, he said.

Renewals and claims should be evaluated independently, but the reality is that insurers will often look at a company’s claims history, he said.

Mr. Halprin noted a recent ruling in favor of pharmaceutical company Merck & Co. in the Superior Court of New Jersey in Elizabeth over the 2017 NotPetya malware attack could lead insurers to re-examine the war clause in their coverage.

The court held in its ruling last month in Merck & Co. and International Indemnity Ltd. v. Ace American Insurance, et al. that “given the plain meaning” of the war clause, which relates to the use of armed forces, the war exclusion does not apply to the malware.

The ruling noted, Mr. Halprin said, that insurers had not done anything to change the traditional wording of the war exemption to exclude cyberattacks. This is an issue to continue to watch to see if insurers make changes, he said, observing that most cyber policies include war exclusions.