In a recent webinar, Lathrop Gage Partner Mike Abrams and Hays Companies Vice President and Cyber Liability Practice Leader Dave Wasson covered several common pitfalls to avoid in buying cyber liability risk policies. In summary, the cyber insurance market is not a mature one, and policies differ significantly. It’s important to be working with a broker or lawyer who is familiar with potential issues and terms that can be negotiated.
See below an outline of pitfalls that were covered in the webinar:
- Acts or Negligence of Vendors
- Language commonly says: “The Insurer will pay on behalf of the Insured all sums in excess of the Deductible amount which the Insured shall become legally obligated to pay as Damages and Claims Expenses resulting from Claims first made against the Insured and reported to the Insurer during the Policy Period for Claims arising as a result of a Data Breach Wrongful Act by the Insured . . . .
- Fix: strike the language “by the insured.”
- Cloud Issues
- Language commonly references the “Insured’s system.” The definition of “system” would not include/cover a data breach in the cloud.
- Fix: add “cloud computing” to the typical “system” language.
- Too Many Insureds
- Oftentimes the common language is too broad for larger companies. The standard definition often includes all employees.
- Problem – if someone inside your company causes the breach, you may not be covered.
- Fix: limit coverage to a control group (directors & key officers, for example)
- Retroactive Dates
- Cyber insurance policies are claims-made policies; they do not cover acts before the retroactive dates in the policies. Many policies set the date as the beginning purchase of the policy.
- Problem – cyberattacks aren’t always immediately detected; they can go unnoticed for years. If malware was on your system’s computers before the inception date, you’ve got trouble.
- Fix: negotiate retroactive dates as long as possible; 12-24 months may be achievable.
- Disruption Period
- Relates to business interruption damages; how long your system is down before coverage kicks in.
- Some policies say the system must be down 72 hours before insured can begin to receive payment.
- Fix: negotiate down the disruption period, to start accruing damages, to be as low as 8-12 hours.
- Minimum Standards Exclusions
- Very ambiguous language; “continuously implemented” procedures and risk controls. What does “continuously” mean?
- Terms used: “computer system,” “digital assets,” “network communications,” “application” – all have specific definitions. Policyholders must confirm that vendors follow all best practices as well.
- Preambles can carry broad exclusions – this is not as common in new policies, more standard in older ones. Can try to get them removed, or change to new/different policies that do not include those conditions.
- Definitions and language – “data,” “dependent business” – could limit coverage, if there are no regular back-ups, and/or no written contracts with vendors.
Please contact your attorney or broker for more information – or Mike or Dave at the contact information included here.
Co-author: Dave Wasson, VP & National Cyber Liability Practice Leader, Hays Companies