Several years ago, a series of massive and highly publicized retail data breaches took the issue of cyber security out of IT circles and inserted it into the mainstream news, cocktail party banter, and corporate board agendas. Those breaches also served to introduce the concept of cyber insurance to a much wider audience. Interest in and uptake of cyber insurance began to grow, largely driven by the breach response services (including incident response, forensic investigation, notification and credit monitoring costs) and class action lawsuit defense coverage available under those policies.
In their 2018 Cybersecurity Predictions report, Aon expects to see a surge in uptake of standalone cyber insurance policies.
To date, litigated cyber insurance coverage disputes have been few and far between, but here’s a summary of a recent development in one of them.
Thanks to Amy Spencer at Blank Rome LLP for allowing me to republish her informative 2-part series here.
In Part I of this two-part series, I identified first-party and third-party insurance claims that could result from a cyber event or attack on the Smart Grid. In this part, I examine how insurance policy language governs resolution of these claims and how to minimize gaps in coverage.
Examine Your Insurance Policies
Traditionally, third-party losses are covered by a company’s commercial general liability (“CGL”) policy. To qualify for coverage under a CGL policy, the policyholder typically must be confronted with a claim for “bodily injury” to another person or “physical injury to tangible property” (collectively known as “Coverage A”), or with a claim for “personal and advertising injury” (injury arising out of certain enumerated offenses such as malicious prosecution or invasion of privacy) (“Coverage B”). Various disputes have arisen as to whether cyber-related losses fit within these coverages. For example, some courts have found cyber-related losses to constitute loss of use of tangible property under Coverage A. See, e.g., Eyeblaster, Inc. v. Federal Ins. Co., 613 F.3d 797 (8th Cir. 2010) (general liability insurance policy provided coverage to insured internet advertising business for lawsuit brought by third-party computer user, who alleged that his computer became inoperable after he visited insured’s website).
Thanks to Amy Spencer at Blank Rome LLP for allowing me to republish her informative 2-part series here.
In this part of our two-part series, I identify the types and breadth of insurance claims that can result from a cyber breach or cyberattack on technologies deployed in the Smart Grid industry. These claims can affect a full range of entities and individuals, including electric utilities implementing Smart Grid technology, energy consumers, Smart Grid technology suppliers, and their individual officers and directors.
Today’s cyber risks come in all shapes and sizes, from disclosure of protected information due to hacking or employee negligence through network shutdown or impairment, regulatory violations, and everything in between. Consequently, modern enterprises are becoming painfully aware that 100% cybersecurity is an impossibility. Instead of focusing exclusively on building cyber defenses, smart companies are taking an enterprise approach to managing cyber risks, which includes development of a cybersecurity program that places attention on a number of issues, including network security, employee training and third party risk. Even then, however, some cyber risks will remain.
Instead of simply living with those residual risks, more companies are taking a holistic approach to cyber risk management, which includes transfer of residual cyber risk through insurance. Although it is no substitute for appropriate policies and practices, cyber insurance that is appropriately tailored to a company’s unique risk profile can be a key component of an effective cyber risk management program.
What is Cyber Insurance?
Cyber insurance can provide much-needed tactical and financial support for companies confronted with a cyber incident. Generally speaking, the cyber policy’s first-party coverage applies to costs incurred by the insured when responding to a covered cyber event, while third-party coverage responds to claims and demands against the insured arising from a covered incident.
First-party coverage usually can be triggered by a variety of events, including the malicious destruction of data, accidental damage to data, IT system failure, cyber extortion, viruses and malware. Generally available first-party coverages include legal and forensic services to determine whether a breach occurred and, if so, to assist with regulatory compliance, costs to notify affected employees and/or third parties, network and business interruption costs, damage to digital data, repair of the insured’s reputation, and payment of ransom costs.
Third-party coverage can be implicated in a variety of ways, including by claims for breach of privacy, misuse of personal data, defamation/slander, or the transmission of malicious content. Coverage is available for legal defense costs, settlements or damages the insured must pay after a breach, and electronic media liability, including infringement of copyright, domain name and trade names on an Internet site, regulatory fines and penalties.
Cyber insurance typically provides for the retention of an attorney, a so-called breach coach, to coordinate the insured’s response to a cyber incident. An experienced coach can build an effective team of specialists and efficiently guide the company through the forensic, regulatory, public relations and legal issues that arise from a security incident. Given the complexities of the various federal and state laws pertaining to data breach notification, the increasing demands of regulators, and the scrutiny of the media and the class action bar, coverage for the retention of a skilled breach coach is perhaps the greatest benefit of cyber insurance.
Obtaining Cyber Coverage
Although there is no standard application for cyber insurance, insurers usually ask for similar types of information from the prospective insured, including customary financial data about the company, such as assets and revenues, number of employees, and planned merger and acquisition activity. In addition, cyber insurance applications typically inquire as to:
- volume and types of data (i.e., credit card data, banking records, protected health information) handled or maintained by the company;
- existence of written, attorney-approved and updated policies and procedures concerning the handling of information;
- compliance with security standards and regulations, and the frequency of assessments;
- existing network security programs, including the use of firewalls, antivirus software and network intrusion testing;
- employment of a chief information officer or chief technology officer;
- history of security incidents and breaches, including how long it took to detect any prior breach;
- prior threats to disable the company’s network or website;
- awareness of any facts or circumstances that reasonably could give rise to a claim under a prospective cyber policy;
- prior cancelation of or refusal to renew a cyber policy;
- security budget (is it part of the IT budget and, if so, what percentage?);
- practices concerning data encryption, passwords, patching and system access control;
- employee hiring and training practices, and procedures around termination;
- physical security controls (e.g., access cards);
- audits of third-party service providers;
- vendor contracts and policies;
- policies governing mobile devices and social media; and
- data backup procedures.
Care should be taken to accurately complete the application, which will become part of the policy if one is issued. Applications may require the signature of the company’s president, CEO, and/or CIO, who must attest to the accuracy of the company’s responses. Inaccurate information provided in the application may jeopardize coverage if a claim is later tendered under the policy.
Choosing the Right Cyber Insurance Policy
Unlike more traditional forms of insurance, there currently are no standardized policy forms for cyber insurance, and policies often contain “manuscripted” provisions agreed to by the insurer and the insured during the negotiation of the policy. Policy terms, including grants of coverage, exclusions and conditions, vary among the 60 or so carriers that currently issue cyber policies, and numerous coverage options are offered by cyber insurers. Given this reality, companies need to ensure that the cyber policy they purchase is appropriate for their specific cyber risk profile. For example, if a company entrusts its data to third parties, it will want coverage for third party risks. If it maintains an active social media presence, it will want media liability coverage. And as more regulations are enacted around cybersecurity and data-handling practices, coverage for regulatory fines is increasing in importance for many entities.
When negotiating the purchase of a cyber policy, the following points, among others, should be considered:
What are the company’s specific cyber risks?
- Are policy limits and sub-limits adequate for existing needs?
- Is there retroactive coverage for prior unknown breaches?
- Is there coverage for claims resulting from vendors’ errors?
- Is “loss” of data covered or just data “theft”?
- Can cyber insurance be combined with vendor indemnities to maximize protection?
- Does the policy cover data in the possession of cloud providers and other third parties?
- Will the insurer offer a subrogation waiver?
- How does the cyber policy fit within the company’s overall insurance program?
- Can more favorable provisions, limits and premiums be negotiated with another carrier?
In addition to the coverages provided by cyber insurance after a cyber event, some cyber insurers offer free or discounted prophylactic or “loss control” benefits to improve their insured’s cyber risk profile. Loss control services can include information governance tools, information management counseling, employee training, risk assessments, and review of vendor contracts.
Because of the variety and complexity of the cyber policies on the market, companies are urged to consult with knowledgeable and experienced professionals to help negotiate the most favorable policy terms and limits to fit the company’s needs. Care should be taken to ensure that the policy adequately addresses the company’s cyber risks and appropriately dovetails with the other coverages in the insured’s comprehensive insurance program. And instead of simply putting a completed cyber insurance policy on the shelf with hopes that it will never have to be used, insureds should make sure that they fully understand the representations they made in their policy application, as well as any continuing obligations they have under the policy, so that they can fulfill their responsibilities and maintain coverage in the event of a claim.
In the end, though, for most companies, it should be a matter of finding the right cyber coverage, not whether to obtain cyber insurance in the first place. Companies will continue to be under threat, and new cyber dangers are emerging every day. Having a policy in place that is suited to your company’s particular risks and exposures is a very smart step toward implementing an effective and holistic cyber risk management program.