by Evan Bundschuh and Dallas Hammer
This post is the second part of a two-part post by the authors, entitled The Rise of Cybersecurity Whistleblowing.
Companies seeking to mitigate that risk of cybersecurity whistleblowing through insurance face a unique set of challenges. Cyber whistleblower claims fall in an area somewhere between cyber and D&O insurance, and poorly structured policies will yield little to no coverage. Organizations that have placed both policies nonetheless will likely assume that they have performed their due diligence and that coverage is in place for claims at time of loss. However, affording broad coverage for even standard whistleblower claims can be difficult.
When addressing their insurability, whistleblowing claims provide many challenges, from policy definitions to exclusions. Due to the regulatory nature of these claims, one of the main challenges revolves around securing coverage for investigations and the pre-claim costs associated, which can be difficult. Many policies affirmatively include within their definition of “claim” or “securities claim,” coverage for regulatory and administrative proceedings which may lead directors to assume a degree of indemnification from the insurer during an investigation, however this does not translate to such coverage – many policies remain silent on (thus precluding coverage for) investigations. Even when policy forms do include investigations within their definition of claim, they will often limit coverage solely to “formal” investigations and/or those that name individual insureds for wrongful acts. This can surmount to the insured absorbing considerable damages due to the fact that the “informal” investigative phase is generally directed at the entity and may last a year before any individuals are named or any formal proceedings are brought, if ever. Policies may also restrict coverage through their definitions of “damages” which will often, at least initially, preclude pre-claim costs related to document production, discovery, and interviews. Most policies also initially preclude from “loss”, coverage for resulting fines, penalties and punitive damages. Even when sophisticated buyers/brokers buyers are successful in carving these back, the matter of their insurability alone is a challenge which is often contested in court.
The fact that these claims have a cyber element may help provide an additional source of coverage (in a cyber policy) but also creates one additional barrier when it comes to affording indemnification under a D&O policy, as many policies are not crafted for cyber exposures. In fact, some insurers have been adding explicit cyber exclusions to their D&O policies. In order to coordinate coverage for cyber whistleblowing claims, buyers should attempt to avoid this exclusion entirely. When avoidance isn’t an option buyers should attempt to negotiate a carve back for cyber whistleblower claims brought under SOX, Dodd Frank and additional statutes.
Companies seeking coverage under their cyber policies will face a separate set of challenges. For one, almost all cyber policies contain broad securities exclusions. Being that these claims often fall under securities laws, companies (particularly public companies) must negotiate a carve back for whistleblower claims that fall under SOX/Dodd Frank. Failure to do so can yield the cyber policy unresponsive depending on its language. Additionally, the scope of regulatory defense coverage will often vary significantly from policy to policy, ranging from broad to nonexistent. In addition to addressing the same challenges of coordinating coverage for investigations (as above), insureds must also ensure that cyber policies broadly define “network” and “privacy” wrongful acts to include (among others acts) unintentional violations, failure to disclose a breach, and failure to reasonably implement privacy or security policies – which can be difficult to obtain. Further, poorly worded policies may also limit data solely to PII, failing to cover corporate confidential information. Affirmative coverage should also be included for fines and penalties (which again, may still be contested in court). Similar to their D&O counterparts, cyber policies also often contain their own version of the “insured vs insured” exclusion. However unlike D&O policies that are used to carving back coverage for whistleblower claims, cyber policies often contain no such carve back. Buyers must be knowledgeable enough to request these carve backs and even then, insurers may not be responsive.
Lastly, companies may also need to alter their perception of “whistleblower claims” as whistles can also be blown in unexpected ways. In at least one such controversial case, cyber vulnerabilities contained within a cardiac device were discovered by a security research firm who, instead of alerting the manufacturer or FDA, presented their findings to an investment firm for trading purposes. While this is both a very controversial and exceptional case, it highlights that companies with cyber vulnerabilities need to be aware that all eyes are watching.
The best approach for mitigating risk is to give cybersecurity the attention it deserves. Senior executives should also admit their own vulnerabilities and accept that their knowledge of cyber risk is limited, relying on their CISOs and tech teams to make important decisions. Companies should promote a positive environment for employees and treat all security recommendations (both outside and inside) as valued information and an opportunity for improved security. And when vulnerabilities are discovered, a swift reaction can be your best friend. Last, partnering with a qualified broker and counsel to assist with placing carefully structured cyber and d&o policies is critical. For smaller companies that are unaware of their workings we have published basic cyber insurance and D&O insurance guides.
Evan Bundschuh is a partner and commercial lines head at GB&A an independent insurance brokerage located in New York focused on insurance programs and risk management solutions for tech companies, financial & professional services, manufacturers and product-based businesses. Dallas Hammer is Of Counsel at Zuckerman Law and chairs the firm’s Whistleblower Rewards Practice Group.
Disclaimer
The views, opinions and positions expressed within all posts are those of the author alone and do not represent those of the Program on Corporate Compliance and Enforcement or of New York University School of Law. The accuracy, completeness and validity of any statements made within this article are not guaranteed. We accept no liability for any errors, omissions or representations. The copyright of this content belongs to the author and any liability with regards to infringement of intellectual property rights remains with them.