Recent reports confirm that cyber insurance uptake is on the rise.
Driven by recent ransomware attacks, data breaches and a maturing appreciation that 100% cybersecurity is a fiction, more companies are looking to cyber insurance to transfer some of the risks associated with these ever-increasing and serious threats.
But all cyber insurance policies are not created equal, and one size definitely does not fit all insureds. It’s imperative, therefore, that prospective insureds take steps to ensure that they’re purchasing the appropriate cyber coverage to address their entity’s unique cyber risk profile.
The insured’s work, however, is not over when the policy is bound. At that point, it’s critical for companies to have a full understanding of their affirmative obligations under the policy so that they do not inadvertently jeopardize coverage in the event of a claim.
Currently, there is no standard cyber insurance policy form, and there can be very significant differences in coverages, definitions and exclusions from policy to policy. In addition, insurers frequently update and modify their own policy forms in light of emerging threats and market developments.
Insureds can often choose from a selection of different coverage options within an individual cyber policy. These apply to a variety of exposures, such as third party liability, breach response, extortion, computer fraud, regulatory defense, website media liability, and business interruption.
Today’s fluid and evolving cyber insurance market can make it challenging for prospective insureds to meaningfully compare different insurers’ policies. For that reason, insureds often seek experienced advisers to help them select appropriate coverage to address their specific cyber needs. An advisor also can assist in negotiating better coverage terms, revision of onerous policy conditions and requirements, and consent to use the insured’s preferred vendors and consultants in the event of a cyber incident.
As noted, a policyholder’s work is not finished once it has purchased a cyber policy. The insured needs to be cognizant of the representations it made to the insurance company in connection with procurement of the policy and understand the affirmative obligations imposed on the insured by the terms and conditions of the policy. Failure to do these things may put coverage at risk in the event of a claim.
Representations made to the insurer: Although there is no standard application for cyber insurance, insurers usually ask for similar types of information from a prospective insured, including customary financial data about the company, such as assets and revenues, number of employees, and planned merger and acquisition activity. In addition, cyber applications typically seek, in varying levels of detail, information about the applicant’s data-handling, privacy and cybersecurity practices.
Care should be taken to accurately complete the application, which will become part of the issued policy. Input from a cross section of stakeholders throughout the enterprise likely will be required to provide factually correct answers to the insurer’s questions. Insurers may require the company’s president, CEO, and/or CIO to sign the completed application and attest to the accuracy of the company’s responses.
Inaccurate information provided in the application process may jeopardize coverage in the event of a claim. For example, XYZ Ic. states in its application that it always encrypts data containing personally identifiable information (PII), and an insurer issues a policy in reliance on XYZ’s representations. If XYZ were to be hacked during the policy period, resulting in the theft of unencrypted PII, coverage for its claim may well be at risk.
Similarly, if Company ABC represents that a qualified attorney approves all website content in advance and disparaging claims against a competitor are later posted on ABC’s website by an unsupervised employee, coverage for the competitor’s claim may be affected.
Notice of Claim: Cyber policies routinely contain explicit provisions concerning how and when an insured must provide notice of a claim. Depending on the policy wording, factual circumstances and applicable law, an insured’s noncompliance with this condition may provide grounds for its insurer to deny the claim.
Cyber insurance notice conditions are anything but uniform. For example, one policy contains the following provision: “The Insured’s duty to report a Claim commences on the earliest date a written notice thereof is received by an Executive Officer. If an Executive Officer becomes aware that a Claim has been made against any Insured, the Insured, as a condition precedent to any rights under any Third Party Liability Insuring Agreement, must give to the Company written notice of the particulars of such Claim, including all facts related to any alleged Wrongful Act, the identity of each person allegedly involved in or affected by such Wrongful Act, and the dates of the alleged events, as soon as practicable. The Insured agrees to give the Company such information, assistance and cooperation as it may reasonably require.”
The term “Executive Officer” is defined in that policy as “a member of the board of directors, board of trustees, board of managers, board of governors, officer, natural person partner, principal, risk manager, LLC Manager, in-house general counsel, or branch manager of the Insured Organization, or a functional equivalent thereof.”
In contrast, another policy contains a very different condition, requiring notice: “upon knowledge of the insured organization’s President; members of the Board of Directors; executive officers, including the Chief Executive Officer, Chief Operating Officer, and Chief Financial Officer; General Counsel, staff attorneys employed by the insured organization; Chief Information Officer; Chief Security Officer; Chief Privacy Officer; Manager, and any individual in a substantially similar position as those referenced above, or with substantially similar responsibilities as those referenced above, your respective of the exact title of such individual and any individual who previously held any of the above referenced positions…”
Notice obligations vary greatly
As these examples illustrate, notice obligations can vary greatly from policy to policy. Insureds are urged to examine the specific requirements of their policy, including any excess policy(ies), and implement internal processes to identify the individuals implicated by the policy condition and instruct them in advance as to their responsibilities.
Prior consent: Cyber policies generally require the insured to obtain the insurer’s “prior written consent” before expending funds in connection with an event covered by the policy.
Related: A game-changing play in cyber risk
For an insured in the throes of dealing with a security breach, network shutdown or ransomware attack, however, obtaining an insurer’s written consent before addressing the situation may not be top of mind.
Consequently, insureds need to take note of their policy’s prior consent provisions and incorporate those requirements into their incident response plans and employee training programs.
Cyber insurance can provide a lifeline to companies suffering a cyber incident. Prospective insureds that have a good understanding of their unique cyber risk profile will be better able to select the appropriate coverages, but they should then take steps to ascertain and operationalize their policy’s various conditions and requirements so that they will be less likely to put their coverage at risk when they need it most.
Judy Selby, JD, is a Principal of Judy Selby Consulting LLC and a senior advisor at Hanover Stone Partners LLC. She provides insurance consulting, cyber insurance analysis, and insurance coverage expert witness services, with a particular focus on cyber-related issues.She can be reached at email@example.com.
Originally published on LegalTech News. All rights reserved. This material may not be published, broadcast, rewritten, or redistributed.