Unlike more traditional forms of insurance, there currently are no standardized policy forms for cyber insurance. Policy terms, including grants of coverage, exclusions, and conditions, vary among the many carriers that issue cyber policies, and numerous coverage options are offered. Given this reality, companies need to ensure that the cyber policy they purchase is appropriate for their specific cyber risk profile.
Because the terms of cyber insurance policies vary so substantially among carriers, and policy forms are frequently updated, it’s important for companies to take a hard look at their policy — at the time of initial purchase and at renewal — to ensure that they understand what is, and what is not, covered. There are no short cuts around this process; a careful review of every page of the policy is required. To drive this point home, I’ve highlighted some coverage gaps identified during recent policy reviews:
Vendor breach impacting insured’s information
Policies issued to a number of companies, both large and small, contained an endorsement that would eliminate coverage for incidents affecting the insured’s information while being hosted by service providers. The “form” of each insurance policy included coverage for a “data breach,” which was defined to include incidents affecting both the insured’s computer system or that of a “third party” with whom the insured had a contract to host the insured’s information. “Third party” was not defined. An endorsement to each policy, however, changed the definition of “data breach,“ substituting the term “individual contractor” for “third party.” “Individual contractor” was defined in pertinent part as a ”natural person.” In other words, a human being. This two-word change in the 90+ page policies would likely serve to preclude coverage for a data breach affecting almost all of the insureds’ vendors, including cloud providers.
For companies that do not entrust their data to third parties, this endorsement may not be important. Companies certainly should not pay for coverages they don’t need. But for many companies, this policy change could create a major and avoidable coverage gap.
Coverage for business interruption caused by cyber extortion
A large healthcare provider was covered under an older form cyber policy, which apparently was updated at some point to add coverage for cyber extortion. Because of the way the policy was structured, however, coverage for business interruption losses, which was triggered by a variety of covered events, arguably was not triggered by a cyber extortion event. This may not have been the intention of the parties. But because the potential business interruption impact of a ransomware event could be quite substantial, the structure of the policy could create coverage issues in the event of a claim.
Social engineering losses
A policy issued to a global distribution company contained a “Social Engineering Endorsement,” pursuant to which the insured thought all social engineering risks, including business email compromise, would be covered. The endorsement, however, was limited to events involving the impersonation of company employees. Since cybercriminals frequently impersonate the insured’s business partners and vendors when perpetrating their social engineering attacks — and this insured has hundreds of vendors and suppliers worldwide — there was a gap in coverage for very significant exposure.
A number of companies across various industries had policies containing a “GDPR Endorsement,” and each of the companies was under the impression that it was insured for all exposures under the EU’s General Data Protection Regulation (GDPR). GDPR contains 99 articles and imposes broad obligations on regulated entities concerning how they handle personal information throughout the entire information lifecycle, from collection and use to storage and security. Despite assumptions that might be drawn from its title, the endorsement provided coverage for just four of the GDPR’s 99 articles, and each of those four deals only with information security requirements.
Understandably, not every cyber policy provides coverage for every potential GDPR violation. It’s important, however, for insureds to look past endorsement titles — as well as coverage summaries — and understand the precise scope of their policy’s coverage. If more comprehensive coverage is desired but not available, the insured should appropriately address its uninsured exposures in its cyber and privacy risk management program.
Choice of law
Insurance policies often contain a specific choice of law designation, meaning that the law of the identified state will apply to policy construction issues in the event of a dispute under the policy. It’s important to keep in mind, prior to policy issuance, that a choice of law designation could actually operate as a de facto exclusion. For example, although a cyber policy may provide coverage for regulatory fines and penalties, as well as punitive damages, it also may designate a state or jurisdiction (such as the jurisdiction issuing the fine) that precludes coverage for those exposures on public policy grounds. Insureds, therefore, should carefully consider their policy’s choice of law designation in light of their risk profile prior to policy issuance in order to avoid unpleasant surprises following a claim.
Obtaining cyber insurance is a wise business decision, but it should be made carefully. A close review of the policy can identify areas of concern that can be addressed during the policy negotiation process. It’s far better to recognize coverage gaps and limitations in advance, instead of waiting for an incident and potential coverage dispute to occur.