By Rene Siemens and David Beck, Attorneys, Pillsbury Winthrop Shaw Pittman LLP
This article previously appeared in Risk Management magazine.
Exposure to network and data security breaches has grown exponentially in recent years and the market for insurance tailored to cover this risk has grown just as fast. These insurance policies are sold under names like "cyber insurance," "privacy breach insurance" and "network security insurance." The market for this coverage often seems like the Wild West, with premiums and terms varying dramatically from one insurer to the next and being highly negotiable. Before buying or renewing a cyber insurance policy, it is crucial to understand what you are really being offered and know how to bargain for what you need.
Cyber insurance policies cover third-party claims and first-party losses. Most policies cover costs of defending against claims that result from network and data security breaches, regulatory investigations, judgments and settlements. Policies may also cover a hodge-podge of other items including costs of notifying individuals whose data has been breached, providing credit monitoring, retaining public relations and forensic investigation consultants, restoring lost or stolen data, and pursuing indemnity rights when someone else has caused the breach. Some policies cover lost revenue due to interruption of business operations as a result of a breach, costs of responding to "E-extortion" and "E-ransom" demands, and even media liability claims. Few policies contain all of these coverages and every policy's coverage is different.
Negotiating Coverage - What To Look For In A Cyber Insurance Policy
Given the sometimes bewildering variety and lack of standardization in cyber insurance policies, buying an "off-the-shelf" policy is rarely the best approach and can result in disaster. It is best to have experienced professionals help you place and negotiate this kind of insurance. Ask your broker whether he or she has specific cyber insurance expertise, and if not, ask for a referral to a broker who does. It is a good idea to have an attorney who has cyber insurance experience (and doesn't work for the insurance companies!) help you negotiate the fine print, since the legal meaning of insurance policy wordings can be critical. Nevertheless, there are a few things you should always bear in mind when buying or renewing a cyber insurance policy.
Buy What You Need
With all the bells and whistles now offered by some insurers, it is important to stick to basics. Consider whether you really need the coverages being offered and just say "no" if you don't. For example, business interruption coverage is usually subject to a lengthy waiting period before it attaches. Some companies conclude that this coverage is not worth the extra premium because they expect network disruptions to be quickly fixed.
Conversely, if an insurer is unwilling to remove an objectionable exclusion or limitation from its policy, then ask your broker to get bids from other insurers. The cyber insurance market is highly competitive, with many insurers focused on building market share right now, and one insurer might very well be willing give you what another won't.
Limits Of Liability
One of the most important issues in negotiating cyber insurance is determining the appropriate limits of liability. The costs of responding to a data breach can be substantial. Estimates vary, but one study found that in 2011 the average organizational cost of a data breach involving the loss or theft of personal data was $5.5 million, or $194 per electronic record. To put that number in context, a data breach involving just 25,000 records (which is below average) would nearly exhaust a $5 million policy. And if a plaintiff class actually obtained a judgment under a state statute that imposes $1,000 in damages for each claimant, the judgment alone could consume $25 million of insurance policy limits. Because cyber insurance is not particularly expensive, you should choose limits of liability in light of your total potential liability exposure in the event of a breach.
Most cyber insurance policies impose sub-limits on some coverages, such as for crisis management expenses, notification costs, or regulatory investigations. These sub-limits are not always obvious and they are often inadequate. They should be scrutinized carefully and set realistically.
Get Retroactive Coverage
Most cyber insurance policies limit coverage to breaches that occur after a specified "retroactive date." In some policies the retroactive date is the same as the inception date of the policy. This means there may be no coverage for claims first made during the policy period that result from breaches that occurred before the policy period, even if the insured did not know about the breach when it bought the policy. Because breaches may go undiscovered for some time before claims are made, insureds should always ask for a "retroactive date" that is earlier than the policy's inception. This will ensure that coverage extends to unknown breaches that occurred before the policy incepted but first give rise to a claim during the policy period. Insurers do not always offer retroactive coverage unless asked, but it is commonly available for periods of 1, 2, 5 or 10 years and is sometimes unlimited.
Beware Of Broadly-Worded Exclusions
It is not uncommon to find cyber insurance provisions that contradict the insured's basic purpose in buying the coverage. Sometimes these provisions have been cut from other insurance policy forms and unthinkingly pasted into cyber insurance forms where they do not belong. For example, some policies broadly exclude coverage for any liability arising from a breach of contract. The problem is that many insureds collect and store confidential information from customers, patients or business partners pursuant to contracts that require them to maintain the confidentiality of the information. They buy cyber insurance precisely to protect them in case a privacy breach gives rise to damages claims under such confidentiality agreements. Many insurers, if asked, are willing to modify their exclusions to make it clear that they will not bar coverage for these claims. This is just one of many examples of broadly-worded exclusions that need to be reviewed carefully and narrowed to make sure that they will not defeat the reasonable expectations of the insured in buying cyber insurance.
Beware Of Panel And Consent Provisions
Many cyber insurance policies require that any investigators, consultants or attorneys used by the insured to respond to a claim or potential claim be drawn from a list of professionals that have been pre-approved by the insurer. If the insured has consultants or attorneys that it wants to involve in the event of a loss because they already know its business operations, it is a good idea to ask to add these professionals to the insurer's pre-approved list during underwriting. It may be easier to add professionals to the pre-approved list before you pay the policy's premium than after the insurance company already has your money.
Cyber insurance policies also often contain consent provisions stating that the insured must obtain the insurer's consent before incurring any expenses to notify customers or patients of a data breach, conduct forensic investigations, or defend against third-party claims. Such prior consent provisions are sometimes invoked by insurers to deny coverage when emergency costs have been incurred without the insurer's consent, even if the costs are completely reasonable and necessary. If prior consent provisions are included in the policy and cannot simply be removed, you should at a minimum change them to provide that the insurer's consent "shall not be unreasonably withheld." It is also a good idea to keep your insurer on "speed dial" when a breach happens, so that it can't assert that it has been kept in the dark about any emergency response costs you had to incur.
Allocation Of Defense Costs
Where both covered and non-covered claims are asserted in the same lawsuit against the insured, an issue often arises regarding the proper allocation of defense costs: i.e., what portion of the insured's defense costs must the insurer must pay? There are a number of ways that insurance policies can respond in this situation, with some policy provisions being more advantageous to the insured than others. For example, some policies provide that the insurer will pay 100% of defense costs if the lawsuit alleges any claim that is potentially covered, while other policies say that the insurer will only pay the portion of defense costs it unilaterally believes to be covered until a different allocation is negotiated, arbitrated or judicially determined.
These issues are less likely to arise in a "duty to defend" policy (where the insurer must take over the insured's defense of any third-party claims), which typically covers 100% of defense costs so long as any of the claims against the insured is potentially "covered." However, under a "duty to pay" policy (where the insurer agrees to reimburse the insured for its defense costs or pay them on its behalf), allocation is more likely to be disputed. It is important to understand the allocation method contained in the policy and try to negotiate one up front that is favorable to you.
Obtain Coverage For Acts And Omissions Of Vendors
Chances are that at least a portion of your organization's data processing and storage is outsourced to a third-party vendor. Therefore, it is important that your cyber insurance policy cover claims against you that result from breaches caused by your data management vendors. Most cyber insurance policies do provide coverage for such vicarious liability, but not all of them clearly do. It is widely understood in the insurance industry that policyholders expect coverage for claims that arise out of the acts and omissions of their vendors, consultants and subcontractors. If such coverage is not initially offered or is unclear, you should demand that it be clearly included in the policy.
Dovetail Cyber Insurance With Indemnity Agreements
You should also make sure that your cyber insurance and vendor indemnity agreements complement each other so that you can maximize your recovery from both sources. For example, some cyber insurance policies state that the policy's deductible or self-insured retention "shall be borne by the Insured uninsured at its own risk." Some insurers may interpret this language as requiring the insured to pay the retention out of its own pocket, and take the position that if the insured gets reimbursed for this amount from the vendor that caused the breach then it has failed to satisfy this precondition to coverage. This kind of clause can therefore present the insured with a Hobson's Choice: either pursue indemnity from your vendor and give up your insurance, or collect from your insurance company and let the responsible vendor off the hook. This unfair outcome is not in the interest of either insurer or insured. Insurers are often willing to modify these provisions to clarify that the insured can collect its self-insured retention from a third party without compromising its insurance coverage.
Harmonize Cyber Insurance With Other Insurance
Some cyber insurance policies provide that your data management vendors are also insured under your policy. There may be business reasons for wanting vendors to be insured under your policy in a particular case, but it is often preferable for your policy to provide that it will only apply excess of a vendor's insurance, and require in your supplier contracts that your vendors must buy their own cyber insurance which is to act as primary insurance and name you as an insured. This structure can reduce the odds that your insurance policy limits will be depleted by claims for which your vendors are primarily responsible.
Get a Partial Subrogation Waiver
If your insurer pays a loss, it may become "subrogated" to your claims against any third parties that were responsible for causing the breach. This means that the insurer can try to recoup its payment by pursuing your claims against the responsible parties. Many cyber insurance policies contain a provision stating that you cannot take any action to impair the insurer's subrogation rights.
One problem with such provisions in the cyber insurance context is that contracts with data management vendors commonly contain limitation of liability provisions. These provisions can give rise to disputes about whether the insured has breached its contract with its insurer by impairing or limiting its recourse against the vendor.
A possible fix is to insist that a partial "waiver of subrogation" provision be added to your cyber insurance policy. Such provisions, which are quite common in other lines of coverage, simply provide that the insurer will not assert that its subrogation rights have been impaired by any contract into which you entered before a loss occurs. Some insurers are willing to agree to such provisions in the cyber context, but others may not be. If your insurer is not willing to give a partial subrogation waiver, you should consider shopping elsewhere.
Clearly, cyber insurance policies can be a valuable tool for mitigating losses arising from a network or data security breach. But the value can vary greatly from one policy to the next. When buying or renewing cyber insurance caveat emptor is the rule: it is essential that each policy provision be reviewed carefully and that enhancements to coverage are negotiated where appropriate.
Rene Siemens is a partner in the insurance recovery practice of Pillsbury Winthrop Shaw Pittman LLP. He represents policyholders in disputes and negotiations with their cyber insurers and other insurers.
David Beck is an associate in the insurance recovery practice of Pillsbury Winthrop Shaw Pittman LLP. He advises policyholders in the negotiation and resolution of complex insurance matters.
For more information about LexisNexis products and solutions connect with us through our corporate site.