The insurance marketplace for cyber liability is constantly evolving. Technology is always improving, the level of data security and awareness is escalating and the tools used by the criminals and the bad actors are becoming more sophisticated. Additionally, the individuals and groups behind these data breaches have varied motivations ranging from embarrassing organizations, to monetizing personal information, to simply wreaking havoc. This coupled with increased regulatory scrutiny and media attention creates a challenging environment for businesses grappling with data security issues.
Unfortunately, the insurance industry does not make it any easier for potential insureds. Policy forms are frequently being updated to keep up with the changing exposures and increasing historical claims data.
Market penetration for cyber liability with middle-market and small businesses is below 20 percent by most estimates, while connected devices are expected to triple to 15 billion by 2020, fueling demand for cyber liability insurance and experts who can effectively advise clients in uncharted waters. With that in mind, here are 10 tips to consider to evaluate coverage.
1. Prior Acts Coverage
Historically, cyber insurance – similar to professional liability insurance – has been written with a retroactive date that corresponds to the inception date of the first purchase, so the insurer would not be responsible for any claim arising out of a breach or wrongful act alleged to have occurred prior to that date.
The challenge for insureds with cyber liability is that most businesses do not know that they have been breached for months. It’s conceivable that an insured could answer a warranty question on an application truthfully without realizing they have already been breached. In theory, an insurer would likely need to provide coverage for the forensic analysis, but if it was determined that the breach pre-dated the inception of coverage, they could certainly deny coverage for any further expense.
Many insurers recognize this and are beginning to offer a limited window of prior acts coverage under cyber liability policies, or full prior acts coverage in some cases.
2. Choice of Vendors/Counsel
This can be an issue for insureds of any financial size. Every insurer has a different philosophy about claims handling. Some insurers require utilizing both their preferred breach response vendors as well as their panel law firms if there is a third-party action; some insurers incentivize to use their preferred vendors but still give the insured flexibility and other insurers do not put any restrictions whatsoever on the insured. There is no right or wrong answer, though it is important to understand the client’s preference and make sure that it is aligned with the policy terms and conditions.
3. Outsourced Service Providers
More and more businesses are outsourcing various elements of their business to consultants, technology service providers, and cloud providers due to cost and the ability to maintain a higher level of network security. While one can outsource the storage and processing of information, they cannot outsource liability. It is important to ensure that the policy will provide the same coverage even if the breach does not occur on the insured’s premises if personally identifiable information in their care, custody, or control has been potentially compromised.
4. Bodily Injury Property Damage
Increasingly general liability/property coverage and cyber liability are intersecting due to the Internet of Things and wearable devices. Additionally, systems that control transportation, utilities, and critical infrastructure are connected. It’s a real possibility that someone could hack into a network simply to cause physical injury and damage property. This can be seen on an even more basic level with people being injured while playing Pokemon Go. Cyber liability policies have historically excluded bodily injury and property damage and many property/general liability policies exclude losses arising out of cyber-related perils. If an insured has any potential exposure in this area, it’s important to find coverage certainty.
5. Network Interruption System Failure Coverage & Contingent Network Interruption
One coverage available under cyber liability policies is network interruption coverage. Network interruption is not dissimilar from business interruption coverage under a property policy with the exception that the trigger is a cyber peril vs. a traditional property peril. The majority of cyber liability policies on the marketplace limit the trigger for network interruption to a malicious network attack while other policies will respond to technology simply malfunctioning. Certain insurers will offer some level of coverage if a contingent service provider has a loss that would have been covered under an insured’s policy. It’s important to analyze an insured’s reliance on systems to conduct business and what supply chain risk they may have when determining network interruption coverage.
6. Value-Added Services
Many insurers have started to realize it’s in their best interest to provide risk management services to insureds to help make them a better risk. Some of these services are complimentary in nature and others come at a cost. This can be a compelling reason to bind insurance with one insurer versus another and should be a point of conversation depending on an insured’s need for risk management services.
7. Unencrypted Device Exclusions
Encryption of all devices on a network is certainly a best practice, but there are few businesses that achieve 100 percent success. Certain insurers understandably would prefer to exclude coverage from all claims arising out of an unencrypted device.
8. Loss of Tech Support Exclusions
As certain software and hardware is no longer supported by the vendor and there are no longer patches being supplied, they become more vulnerable to an attack. If an insured is still using end-of-life technologies like Windows 7, an insurer may seek to limit any claims arising out of that technology.
9. Cyber Terrorism
Cyber liability policies have historically included a terrorism exclusion similar to all other insurance policies to prevent coverage from being triggered by attacks perpetrated by religiously motivated or state-sponsored groups unless the Secretary of State declares an act of terrorism. Given the inability to trace the origins of some of these attacks and the possibility that some of these attacks have been funded by rogue states, it’s important to find insurers willing to provide coverage for cyber terrorism.
10. Breach of Contract
While most insurance policies contain breach-of-contract exclusions to preclude coverage in instances where liability would not have existed in the absence of a contract, it’s important that these exclusions be removed or modified in cyber liability policies. It’s likely that an insured has non-personal identifiable information that they have a contractual obligation to keep confidential and there are contractual penalties that can be levied by the payment card industry when payment card data has been compromised.
Unlike other lines of business that have ISO forms and some standardization from insurer to insurer, it is apparent that all cyber liability policies are not equal.
While there will always be new, relevant issues as exposure and products continue to develop, these are the big issues of focus for sophisticated buyers. It’s critical to understand each insured’s unique business and exposures. Armed with these tips you will be better able to negotiate a best in class cyber liability policy for your clients.
Topics
Cyber
Carriers
Agencies
Tech
Property
Interested in Agencies?
Get automatic alerts for this topic.
A $29 Billion Weed Market Fights to Diversify Amid Legal Hurdles 
Farmers Adjusters Cry Foul Over Workloads, Claims Handling in Letter to Regulators 
Ford Recalls 668,000 2014 F-150 Pickup Trucks Over Transmission Issue 
Let Good Adjusters, Not Expensive Lawyers, Make the Difference on Claims, CEO Says 
