IT, we have a problem. Reports of cybersecurity incidents continue to come in thick and fast. In November 2017, Equifax announced a mammoth data breach that it estimated would cost more than $140 million to address. Pharmaceutical giant Merck reported production slowdowns costing almost $500 million. The city of Atlanta spent $2.7 million to deal with a ransomware attack from the Petra virus. And irony of ironies, the Dutch Data Protection Authority sheepishly admitted that it had leaked the names of some of its own employees.
PwC estimates that cyber incidents cost the global economy $400 billion annually – and this figure will grow. As costs escalate, organizations look for ways to manage the risk. Insurers have responded to the demand. One increasingly popular option is cyber insurance. In a decade, cyber insurance has exploded from an obscure niche specialty form of coverage to one that is expected to generate $7.5 billion in premiums by 2020.
Against this backdrop, what do companies need to know about cyber insurance? Here are our top ten thoughts:
- Existing Policies Likely Will Not Protect You. While the issue has been extensively litigated in recent coverage disputes, subsequent revisions to Commercial General Liability, Directors & Officers Liability, and other standard policies bar cyber-related claims. Such claims include those arising from data breaches that involve unauthorized access to or disclosure of confidential information, and ransomware (including the loss of the use of electronic data).
- No Standard Policies. Unlike other areas, the insurance industry has yet to coalesce around a standard set of terms that constitute a “typical” cyber insurance policy. The good news is that this enables companies to negotiate bespoke policies that conform to their specific risk profile. For example, a health care entity may have extensive post-breach notification requirements. On the other hand, software support providers may have no notification requirements, but they may have exposure because of extensive contractual indemnification obligations. The two entities will have different risk profiles, and consequently may have different insurance needs.
- Know Your Minimum Requirements. Any insurance purchase exercise should map available policy benefits against operational realities. The policy limits are the most obvious concern: a $100,000 policy limit provides little protection against a $10,000,000 contingency. But other issues can be equally significant. How is an occurrence determined? For instance, if each compromised customer is a separate occurrence with its own self-insured retention or deductible, you may never meet your deductible. Does the policy limit coverage only to your own systems? In an era of cloud computing and vendor integration where third-party systems play key roles in your overall IT posture, this would leave a significant gap in coverage. Check your contractual, structural, and regulatory risk before entering the insurance market.
- Examine the Fine Print. Do not rely on the glossy marketing materials the insurer sends your broker. The scope of coverage is controlled by the policy language. Policy provisions are not always consistent with promotional materials. Consequently, you need to carefully analyze the provisions of the policy itself to evaluate its responsiveness to your needs. If a provision raises red flags, or you identify a critical coverage gap, take up the issue with the insurer. Or direct your broker to solicit additional options.
- Watch out for Pitfalls. Common policy provisions can significantly undermine coverage. For instance, one recurring issue is a policy that predicates coverage on meeting specific benchmarks. Have candid conversations with your IT staff in order to ensure that any such benchmarks are realistic. For instance, policies may exclude coverage for unencrypted data. If it is impractical or excessively cumbersome to encrypt all data as a matter of course, this exclusion is a major land mine. Another problematic provision is the “Failure to follow your own policy provision.” Even the most diligent company may fall short of universal adherence to internal requirements, e.g., there may be a delay in installing software patches. Such shortfalls are unavoidable. Make sure they do not void coverage.
- Beware the Contractual Exclusion. One rider warrants special attention: the “contractual exclusion.” This provision typically denies coverage for any obligation that the insured has contractually undertaken. Significant risks flow from standard business commitments. These range from Payment Card Industry (PCI) protocols to indemnification obligations to Federal Acquisition Regulations (FAR) compliance. Therefore, the contractual exclusion can effectively eviscerate your coverage. It would be hyperbole to suggest that any cyber insurance policy with a contractual exclusion offers illusory protection, but such provisions need to be carefully considered.
- Regulatory Concerns. Government regulators from the SEC to the New York Department of Financial Services are increasingly inclined to assess cyber insurance coverage as a key component of a responsible cybersecurity strategy. Accordingly, you should evaluate proposed policies from the regulatory perspective: a risk that cannot be completely alleviated may be acceptable if mitigated via appropriate insurance arrangements. Insurance coverage should be a place to reinforce your overall regulatory compliance program. And depending on the provisions of the policy, legal or technical assistance in responding to regulator queries might be an available benefit.
- Premium Issues. In the health insurance context, individuals can qualify for rebates or benefits by ceasing smoking or losing weight. Cyber insurance offers analogous cost savings. Adoption of recommended security practices, mandating specified training, or undertaking security risk reviews can result in lower premiums. Insurers may even assist with these exercises. In those cases, you get the benefit of the insurer’s accumulated expertise, while the insurer gets to lower its potential exposure and to better evaluate its underwriting risk.
- Evaluate the Experts. One potential coverage benefit, or restriction, is the requirement to use insurer-contracted experts in the event of a claim. These experts provide services ranging from public relations/crisis response to forensics to negotiators to legal counsel. It is critical that a company is comfortable with the outside experts who will assist it in the event of a cyber crisis. Some insurers will even make their contracted response teams available for preventative “table-top” exercises with their insureds’ cybersecurity teams. If such an opportunity presents itself, take it. The premium savings alone could justify the exercise. The improved security posture would be priceless.
- Talk to your Broker and Counsel. The nuances in this area elevate the importance of your insurance broker. Your broker is familiar with the market. Which insurers have a reputation for responsiveness? Prompt payment? Good recovery staff? What policy provisions conform to your risk profile? They should be prepared to explore the market and negotiate on your behalf. In addition, it is generally advisable to have the policy language reviewed by legal counsel, as both the technology and the law in this area are evolving rapidly.
For good or otherwise, the cyber insurance market is still in a state of flux. The good news is that companies have the ability to shop around, compare various offerings, and negotiate premiums and provisions. The flip side is that this requires you to do your homework before calling your broker. Know what you want and what you are looking for, and engage with your advisors to ensure you get the coverage you need.
Saad Gul and Mike Slipsky, editors of NC Privacy Law Blog, are partners with Poyner Spruill LLP. They advise clients on a wide range of privacy, data security, and cyber liability issues, including risk management plans, regulatory compliance, cloud computing implications, and breach obligations. Saad ( @NC_Cyberlaw) may be reached at 919.783.1170 or firstname.lastname@example.org. Mike may be reached at 919.783.2851 or email@example.com. Nothing in this alert constitutes legal advice or establishes an attorney-client relationship.
Physical Address: 301 Fayetteville Street, Suite 1900, Raleigh, NC 27601 | © Poyner Spruill LLP. All rights reserved.