As more and more companies enter the burgeoning cyber insurance marketplace, they often ask policyholder counsel like me how they can choose the best cyber policy when confronted with so many choices.
When the marketplace was still in its infancy just a few years ago, this was a considerably harder question because the policy forms, including the scope of first party and liability coverages being offered by different insurers, varied so drastically. But as the cyber insurance marketplace enters its adolescent stages, there is beginning to be more standardization in available coverages and exclusions, at least at a high level.
Related: 6 categories of questions you'll be asked when applying for cyber coverage
But what has not changed is that many key terms of these policies remain negotiable (considerably more so than for other types of insurance policies), and the courts have been presented with few opportunities to provide guidance on how key provisions in these policies are likely to be interpreted.
The net result is that prospective policyholders can and should continue to negotiate aggressively in the underwriting process, especially when purchasing cyber coverage for the first time. But what provisions should a prospective policyholder be most concerned about? The answer depends largely on the most prevalent risks faced by individual companies, which are unique to them.
However, there are some provisions common to many cyber policies that, in my view, present risk to all policyholders due to imprecise or inappropriately restrictive coverage language. Because these provisions are almost certain to be the basis of numerous denials of coverage, they are likely to be tested in litigation in the next few years and deserve particular focus by prospective policyholders. Some of these looming battleground provisions include:
Retrospective dates
Most cyber policies are subject to a specified retrospective date, which means that liability claims, such as data breaches, arising from events occurring prior to that date are not covered. Often, the insurer will set the retrospective date at the inception date of the first policy the insurer issues to a particular insured. This can be a significant problem, especially for first-time insureds, due to the close temporal proximity between the retroactive date and any potential claims.
Related: Top cyber threats can shift by industry, but risk is universal
To make matters worse, many cyber policies contain language purporting to relate all causative events back in time to the date of the initial causative event. In many cases, this problem will begin to alleviate itself over time if the policyholder renews its cyber policy with the same insurer (i.e., the retroactive date will remain fixed at the initial inception date as successive policies are issued). That said, I still see more cyber claims denied on this ground than any other.
Some cyber insurers will agree to backdate applicable retroactive dates for prospective policyholders and some will not. Particularly with respect to the latter, significant factual disputes regarding the specific events precipitating an otherwise covered claim are entirely foreseeable. The complex technical aspects of data networks and the inherent uncertainties regarding the genesis of many breaches are likely to exacerbate these disputes even further.
Unauthorized access to computer systems
Many cyber policies provide coverage only where access to the insured's computer system is “unauthorized.” Some insurers will argue that this precludes coverage where an employee negligently provides access (such as losing his or her password) or is tricked into providing access (such as in a spear phishing attack).
Related: 8 ways to improve cyber insurance
Some insurers have sought to clarify the scope of “unauthorized access” by defining that term in their policies, but others have not. Like many cyber policy provisions, the scope of this definition may be negotiable, and any ambiguities should be resolved in favor of the policyholder under general principles of insurance policy interpretation. But given the ever-increasing frequency of cyber fraud and the ever-increasing ingenuity of cyber fraudsters, the extent to which there is coverage under cyberpolicies for unintentional but arguably authorized access to computer systems is likely to be disputed vigorously.
Want to continue reading?
Become a Free PropertyCasualty360 Digital Reader
Your access to unlimited PropertyCasualty360 content isn’t changing.
Once you are an ALM digital member, you’ll receive:
- All PropertyCasualty360.com news coverage, best practices, and in-depth analysis.
- Educational webcasts, resources from industry leaders, and informative newsletters.
- Other award-winning websites including BenefitsPRO.com and ThinkAdvisor.com.
Already have an account? Sign In
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.