Managing today’s privacy and data protection issues is no easy feat. Hyper-connectivity, mobility, big data and analytics, and remote assess to enterprise data have revolutionized the way modern organizations function. But those same phenomena also have exponentially broadened the privacy and data protection exposures companies now must manage.
Risk abounds at every stage of the information lifecycle, from the creation or collection of information, through its use, storage, retention, and its ultimate disposition. Data breach and misuse, cyber crime, and an evolving and increasingly rigorous regulatory landscape are now recognized as enterprise-wide concerns. But despite best efforts and increased spending, even the most diligent organizations must recognize the fallacy of assuming nothing will ever go wrong. Regardless of company size or industry vertical, privacy and data protection mishaps are inevitable. For that reason, more and more companies are looking to cyber insurance as a hedge against these relentless risks.
What is cyber insurance?
Cyber insurance can provide much needed tactical and financial support to firms confronted with a cyber or privacy incident. This is particularly valuable for small and midsized firms that many not be well equipped to survive such a mishap. Generally, a cyber policy’s first-party coverage applies to costs incurred by the insured itself when responding to a covered cyber event. Third-party coverage responds to claims and demands against the insured arising from a covered incident.
First-party coverage. First-party coverage can be triggered by a variety of events, including the theft or disclosure of protected information, malicious destruction of data, accidental damage to data, IT system failure, cyber extortion, viruses, and malware. First-party coverage is generally available for legal and forensic services to determine whether a breach occurred and to assist with the aftermath—for example, complying with regulatory requirements, notifying affected employees and/or third parties, covering network and business interruption costs, repairing damage to digital data, and protecting the insured’s reputation.
Third-party coverage. Third-party coverage can be implicated in a variety of ways, including by claims and law suits against the insured for breach of privacy, misuse of personal data, defamation/slander, or the transmission of malicious content. Coverage is available for legal defense costs, settlements costs or damages, regulatory fines and penalties, and electronic media liability, including infringement of copyright, domain name and trade names on an internet site.
New cyber coverages. Just as cyber risks have continuously evolved, so has cyber insurance coverage. Recent policy iterations offer protection against a wide range of today’s most vexing cyber threats, including cyber extortion, social engineering, senior executive losses, corporate identity theft, “bricking” of corporate electronic devices, and contingent business interruption.
Challenges. Unlike many other more traditional lines of insurance, there is no standard policy form for cyber insurance. More than 150 insurers currently sell cyber coverage, and each has its own policy form, utilizing its own, unique policy language. This creates challenges for companies trying to compare one cyber insurance policy with another. For example, two forms may use the same terms, such as “security event” or “regulatory investigation,” but they will define those terms differently, creating significant differences in the scope of coverage provided. Nevertheless, because the cyber insurance market is quite competitive, insureds often have the ability to shop around for and negotiate more favorable coverage terms.
Applying for cyber coverage
Although there is no standard cyber policy application, insurers often ask for similar types of information from a prospective insured, including financial and business information (such as assets and revenues), the number of employees and planned merger and acquisition activity. In addition, cyber applications typically inquire as to the types and volumes of data handled or maintained, employment of cyber security and privacy personnel, existing network security programs and practices, prior security and privacy incidents, awareness of facts or circumstance that could give rise to claim, and more.
Care should be taken to accurately complete the application, which will become part of the policy if one is issued. It may be necessary to seek input from a variety of inside and external stakeholders, such as IT vendors and consultants, in order to provide accurate and complete answers. It’s crucial to remember that inaccurate information provided in the application may jeopardize coverage if a claim is later tendered under the policy.
Getting the right cyber policy
As highlighted above, there currently are no standardized cyber insurance policy forms. Policy terms, such as grants of coverage, exclusions, and conditions, can vary wildly, and numerous coverage options typically are offered. In many instances, policies contain tailored or “manuscripted” provisions agreed to by the insurer and the insured during the policy negotiation process.
The lack of standardization means that companies need to be proactive to ensure that the cyber policies they purchase are appropriate for their specific cyber risk profile. For example, if a company entrusts data to third parties, it will want coverage for that third-party risk. If it maintains an active social media presence, it will want media liability coverage. And as more regulations are enacted around cyber security and data-handling practices by regulators across the globe, obtaining comprehensive coverage for a wide variety of regulatory violations (not just security breaches) and fines is increasing in importance for many companies. Given the complexities of today’s cyber insurance market, entities are encouraged to work with knowledgeable insurance professionals to assist with procurement of appropriate coverage.
Avoiding cyber insurance pitfalls
Its important to remember that a policyholder’s work is not finished once it has purchased a cyber policy. The insured needs to be cognizant of the representations it made to the insurance company in connection with procurement of the policy and understand the affirmative obligations imposed by the terms and conditions of the policy. Failure to do these things may put coverage at risk in the event of a claim. Some of the key issues to keep in mind are highlighted below.
Representations made to the insurer. Extreme care should be taken to accurately complete the application. Inaccurate answers may jeopardize coverage if a claim is later submitted. For example, XYZ Law Firm states in its application response that it always encrypts protected data, and an insurer issues a policy relying on XYZ’s representations. If XYZ were to be hacked during the policy period, resulting in the theft of unencrypted protected data, coverage may well be at risk. Similarly, if Firm ABC represents that a qualified attorney approves all website content in advance of publication and disparaging claims against a competitor are later posted on ABC’s website by an unsupervised employee, coverage for the competitor’s claim may be affected.
The application also may require the prospective insured to provide updated information before a policy is issued if any responses in the submitted application are no longer accurate. Failure to do so may provide a basis for the insured to later amend the issued policy, which may affect the coverage afforded to a claim.
Notice of claim conditions. Cyber policies routinely contain explicit provisions concerning how and when an insured must provide the notice of a claim. Depending on the exact policy wording, factual circumstances and applicable law, an insured’s noncompliance with a policy’s notice condition may provide grounds for its insurer to deny the claim.
Cyber insurance notice conditions are anything but uniform. For example, one cyber policy requires notice after an “Executive Officer” becomes aware of a claim, while another policy is much broader and requires notice when any of the following people learn of a claim:
President; members of the Board of Directors; executive officers, including the Chief Executive Officer, Chief Operating Officer, and Chief Financial Officer; General Counsel, staff attorneys employed by the insured organization; Chief Information Officer; Chief Security Officer; Chief Privacy Officer; Manager, and any individual in a substantially similar position as those referenced above, or with substantially similar responsibilities as those referenced above, irrespective of the exact title of such individual and any individual who previously held any of the above referenced positions.
As these two examples demonstrate, the obligations imposed on the insured can vary greatly from policy to policy. Insureds therefore are urged to understand the specific mandates of their policy and implement internal processes to operationalize those requirements.
Prior consent and panel requirements. Cyber policies often require the insured to obtain the insurer’s consent before expending funds in connection with a covered event. For instance, insurers routinely mandate that the insured obtain the carrier’s “prior written consent” in advance of incurring costs to respond to a breach, claim, or ransom demand.
Insureds also should be aware that some cyber insurers specify that the insureds must use preselected “panel” professionals, including attorneys, forensic specialists and notification firms. It’s critical for policyholders to know their carrier’s specific requirements in that regard in advance of suffering a cyber incident and expending funds to retain non-panel service providers.
Cyber insurance can provide a lifeline for companies dealing with today’s vexing and relentless privacy, security, and compliance risks. Companies are encouraged to carefully consider their unique cyber risk profile and obtain the best cyber coverage to suit their needs.