Although the National Cybersecurity Awareness Month of October has come to a close, it is not too late for corporate counsel and risk managers to be thinking about cyber-risk insurance — an increasingly essential tool in the enterprise risk management toolkit. But a prospective policyholder purchasing cyber insurance for the first time may be hard put to understand what coverage the insurer is selling and whether that coverage is a proper fit for its own risk profile. With little standardization among cyber policies’ wordings, confusing labels for their covered perils, and little interpretive guidance from case law to date, a cyber insurance buyer trying to evaluate a new proposed policy may hardly know where to focus first.

After pursuing coverage for historically major cyber breaches and analyzing scores of cyber insurance forms over the past 15 years, we suggest the following issues as a starting point for any cyber policy review:

  • Push your limits. Although total cyber limits up to $500 million are reportedly available in the insurance marketplace, many major companies’ cyber programs top out at much less. Our experience teaches that even limits of $100 million might fall far short of the total losses from an historically major data breach. Tip: If your company’s principal concern is protection against catastrophic cyber exposures, then consider a higher self-insured retention and build the highest tower of limits above that retention that you can afford.
  • Beware of sublimits. Many cyber policies cap particular kinds of loss at amounts less than the total policy limit. For example, some insurers sublimit coverage for regulatory and Payment Card Industry (PCI) expenses; in a claim for a major payment card breach, these sublimits can generate disputes over how various expenses are characterized and can complicate the timing and presentation of losses. Tip: Some primary insurers are willing to set full-policy limits for all or most of the coverage grants principally involved in a typical payment card breach. Negotiate as few sublimits as commercially feasible. Trap: Some endorsements purporting to cover ransomware are effectively exclusions masquerading as coverage grants with small sublimits. Ransomware already falls within the scope of “cyber extortion” coverage grants in many cyber forms; don’t accept a ransomware-specific endorsement without reviewing both the policy and the endorsement carefully.
  • Push back the Retro Date. Network intrusions are latent injuries: a hacker may be lurking on your system for months before you discover the breach. Most cyber policies exclude loss arising from events happening before a specified “retroactive date,” regardless of when loss is discovered. Tip: The default setting for the retro date is the first inception date of cyber coverage, but some insurers are willing to set it up to a year earlier. Negotiate the earliest retro date you can.
  • Get your cyber application right. Cyber-risk insurance applications typically consist of detailed and highly technical questionnaires, and many cyber policy forms expressly recite that statements in the application are incorporated by reference into the policy, material to the risk, and relied upon in issuing the policy. Trap: An insurer bent on denying a claim may pore through those questionnaires looking for misstatements that might provide a basis to void the policy. For example, the insurer’s complaint in Columbia Cas. v. Cottage Health (C.D. Cal., filed May 31, 2016) alleged that misstatements in the “Risk Control Self Assessment” included in the insured’s cyber insurance application provided grounds to rescind the policy. Tip: Cottage Health illustrates the importance of a careful application process. The company’s legal department, with the assistance of outside counsel as needed, should play an active role in coordinating IT and risk management input into the cyber application, which requires expertise from both functions. A particular challenge in many cyber insurance applications is the disclosure of prior cyber incidents, with attendant privilege concerns.
  • Mind the (coverage) gap, please. A policyholder must look across its entire insurance portfolio to consider whether significant gaps exist, and if so where. The connectedness of the Internet of Things is a prime example of the potential disconnectedness among common insurance programs. Most cyber policies exclude physical bodily injury and property damage, because traditionally conventional property and general liability policies covered such physical harms. Trap: Over the past decade cyber-related exclusions or restrictions have proliferated in standard property and liability policies. Tip: Major property insurers now commonly offer upgraded versions of their policies with cyber-related coverage extensions. More recently, specialty policies covering liability for “cyber-physical” losses have entered the marketplace. If the Internet of Things or networked Industrial Control Systems (ICS) play a part in your operations, explore both your current property and liability programs and these gap-filling alternatives carefully.
  • And don’t forget “other people’s insurance.” Your own cyber policy must fit into your larger ecosystem of risk management arrangements. Under typical vendor or service contracts, counter-parties may be required both to indemnify you for cyber-related losses and to procure cyber insurance, both for themselves and for your company as an additional insured (AI). Tip: Check the “other insurance” clause in your cyber policy to determine whose policy will apply first if you are an AI under another party’s cyber policy. Trap: A certificate of insurance from a contracting party’s broker is not the same thing as the policy itself. Especially with cyber policies, which vary widely in their terms, the certificate may not accurately state either the scope of the other party’s coverage or your status under their policy. Tip: Implement internal risk management procedures, to request and promptly review the policies required under insurance procurement clauses in all contracts; to calendar those policies’ renewal dates and identify any changes in coverage; and to notify the other party’s insurer in the event of a cyber incident.

Of course, this list is not exhaustive. Other issues that bear scrutiny include the cyber policy’s treatment of defense and selection of defense counsel; its coverage for regulatory investigations and other government proceedings; exclusions that might purport to preclude coverage for employees’ human error; contractual liability exclusions that may conflict with your indemnity or insurance obligations under contracts with third parties; and many more. But every policy review must begin somewhere. The half-dozen issues above will get most first-time purchasers started down the road to understanding what they are buying.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of John Buchanan John Buchanan

John Buchanan, senior counsel in Covington’s Washington office and the firm’s first Insurance Practice Group Coordinator, has represented policyholders in insurance coverage advocacy, dispute resolution and counseling for nearly four decades. His practice has ranged from the early DES and asbestos coverage…

John Buchanan, senior counsel in Covington’s Washington office and the firm’s first Insurance Practice Group Coordinator, has represented policyholders in insurance coverage advocacy, dispute resolution and counseling for nearly four decades. His practice has ranged from the early DES and asbestos coverage litigation to claims for some of the largest cyber losses in history. John has litigated, arbitrated or negotiated a wide variety of complex property and casualty insurance claims, from railroad derailment claims to satellite-in-orbit claims, and from silver-theft claims to cyber claims. The National Law Journal named him an Insurance Trailblazer in 2021, and Best Lawyers has twice named him Washington Insurance Lawyer of the Year. Chambers USA has also consistently recognized him in its national rankings for insurance coverage lawyers (currently as Senior Statesman, previously in Band 1), as have Best of the Best USA, Who’s Who Legal and other peer reviewed lawyer registries.

John became involved with emerging cyber-related coverage issues in the mid-1990s and co-authored one of the earliest treatise chapters on cyber insurance coverage in 2001. Starting with the network intrusion and payment card thefts discovered by TJX in 2006, he has represented policyholders pursuing claims for losses arising from data breaches reported to involve tens of millions of compromised records. John also regularly advises businesses in the management of their cyber and cyber-physical risks, such as those arising from products or services involving the Internet of Things (IoT)-, Artificial Intelligence (AI), Connected and Autonomous Vehicles (CAVs), and the Metaverse or “Web3.”

Photo of Marialuisa Gallozzi Marialuisa Gallozzi

Marialuisa (ML) Gallozzi has helped for-profit and nonprofit policyholders develop and execute efficient and practical insurance recovery strategies. As lead counsel, she has helped secure over half a billion dollars for high-value first-party losses and third-party liabilities. In addition to representing policyholders in…

Marialuisa (ML) Gallozzi has helped for-profit and nonprofit policyholders develop and execute efficient and practical insurance recovery strategies. As lead counsel, she has helped secure over half a billion dollars for high-value first-party losses and third-party liabilities. In addition to representing policyholders in insurance claims, she also advises policyholders in placing and tailoring insurance coverages for unique risks, transferring risk in contracts and transactions, and preparing for and managing crises.

Chambers USA notes her “great breadth of experience,” describing her as “brilliant” and “highly intellectual.” Business Insurance named her as one of its “Women to Watch” in 2014. In 2019 and 2020, Washington DC Super Lawyers named her one of its “Top 100 Lawyers” and “Top 50 Women Lawyers.” Recent completed engagements include:

  • Product Contamination/Recalls: Represented a U.S. food manufacturer in resolving a claim under a product contamination policy.
  • Cyber: Represented a hospital system in obtaining insurance recoveries for a system-wide ransomware attack.
  • Captives: Advice on coverage property damage, business interruption, and terrorism losses.
  • Cargo: Represented a nonprofit organization in seeking coverage for products destroyed by fire.