by Ian Boczko, Marshall L. Miller, and Timothy C. Sprague
In recent years, companies have heightened their focus on cybersecurity issues, dedicating substantially more resources to mitigating escalating cyber risks. Increasingly, these efforts include purchasing some form of cyber insurance.
Any cyber insurance policy should supplement, rather than replace, a cybersecurity risk mitigation program. While such a policy may be a useful element of a multifaceted strategy, cyber insurance is far from a panacea. First, the size and types of damages resulting from a catastrophic cyber incursion can exceed even significant policy limits. Additionally, cyber insurance coverage is unlikely to extend to reputational losses or intellectual property theft. Moreover, the cyber insurance market is relatively young and policy forms are still evolving. Thus, cyber insurance does not have the same claims history or established understanding of policy terms that can be found in more mature insurance markets.
Despite these limitations, cyber insurance may still be worth exploring. Traditional corporate insurance policies, including D&O, property, general liability, product liability and crime insurance policies, may not align coverage with the types of losses resulting from a cyber event. And, with more stand-alone cyber insurance policies available, underwriters are starting to tighten language and craft exclusions to limit cyber loss coverage in non-cyber policies.
Where companies do enter the market for cyber insurance, they should individually evaluate each cyber insurance policy to ensure that it is properly tailored to cover the specific risks and exposures that they face. As part of that process, companies should be attentive to the following issues:
- Preexisting Conditions: Companies should understand whether a policy will restrict coverage for breaches stemming from conditions existing at the time the policy is purchased. While sometimes explicit, such limitations can also be implicated through the use of a “retroactive date” for the start of coverage. As some cyber events are caused by a latent, sometimes long-existing, vulnerability in a company’s infrastructure, this type of carveout could result in a significant gap in coverage.
- Key Definitions: Companies should focus on policy definitions of “event,” “loss,” “breach,” and “occurrence.” Given the unpredictable nature of cyber events — and the possibility that an event could impact multiple systems, extend for a long period of time, or trigger other cyber events — it is important to understand the impact of these definitions on the coverage available and the deductibles that might apply.
- Response Flexibility: Insurers may mandate specific mitigation procedures, including use of particular lawyers and consultants, or require pre-authorization before a company takes actions pursuant to its cyber response protocol. Companies should ensure that any such requirements complement, rather than impede or delay, cyber incident response plans.
- Third-Party Risk: While most policies will cover first-party losses such as the costs of forensic investigation, data restoration, business interruption, affected party notification, and crisis management, companies should pay close attention to whether, and to what extent, policies cover third-party claims, such as litigation expenses, claims by customers, government investigations, and regulatory fines and penalties. Companies should also be attentive to whether sub-limits diminish coverage for third-party claims.
- Affiliates, Third-Party Vendors, and Business Partners: Companies should assess whether policies cover the compromise of data under the control of an affiliate or third party, such as a cloud service provider, and how policies treat cyber events originating with business partners, seeking extension of coverage to such events where possible.
- Geographic Limitations: Companies should be attentive to whether policies confine coverage to losses that occur in, or originate from, specific geographies. This is particularly important for companies with technology infrastructure or employees located internationally, as certain jurisdictions require that policies be purchased locally in order to cover damages that occur there.
- Employee Responsibility: Companies should know whether their policies restrict coverage to losses triggered by an “external” intrusion to the company. Such provisions could limit coverage when a bad actor is a company insider or when company personnel serves as the inadvertent entry point for an attack, such as when an employee downloads malware, or falls prey to a phishing attack or impersonation fraud.
Overall, the availability of cyber insurance affords opportunity to offset some risks and costs. But companies should proceed with caution, using cyber insurance products as one part of a comprehensive cyber strategy. Through careful attention to policy language, companies can maximize the benefits and avoid the pitfalls of cyber insurance. Finally, given the constantly evolving nature of the marketplace for insurance products, it is important for companies to consider the manner in which — and the extent to which — a company’s portfolio of different insurance policies will ultimately respond to particular types of losses.
Ian Boczko is a Partner, Marshall L. Miller is Of Counsel, and Timothy C. Sprague is an Associate at Wachtell Lipton Rosen & Katz.
Disclaimer
The views, opinions and positions expressed within all posts are those of the author alone and do not represent those of the Program on Corporate Compliance and Enforcement (PCCE) or of New York University School of Law. PCCE makes no representations as to the accuracy, completeness and validity of any statements made on this site and will not be liable for any errors, omissions or representations. The copyright of this content belongs to the author and any liability with regards to infringement of intellectual property rights remains with the author.