When it comes to cyber-related risks, businesses face two enormous challenges. First, cyber risks are by their very nature ever-evolving, posing a greater and greater risk that is difficult to stay abreast of, let alone contain. Second, when trying to insure against the risk of loss from cyber threats, policyholders are faced with an insurance marketplace that is in flux and fragmented.
Below is our list of 10 Tips for Policyholders to consider in maximizing the chance of an insurance recovery from cyber-related losses.
- Make sure your insurance matches the way you conduct online business and process data. For example, there are insurance coverage implications if you use cloud computing or other computer vendors for hosting and processing data. Many of the cyber risk insurance policies available today can be tailored to reflect the fact that the policyholder may delegate to third-parties data management and hosting.
- Do not rule out coverage for a claim under traditional business policies. If a cyber loss occurs consider D&O, E&O, crime and GL insurance coverage depending on the claim against your company or the form of loss. We have had success in winning coverage for our clients for cyber-related losses under traditional coverage that is not expressly sold for cyber losses.
- Avoid cyber insurance policy terms that condition coverage on the policyholder having employed “reasonable” data security measures. These clauses are so vague and subjective that they are bound to lead to coverage fights. Further, given the lightning speed of technological innovation and amorphous nature of cyber risks, a cyber security practice that was reasonable just months ago may look reckless with the benefit of hindsight and the passage of time.
- If you possess or process consumer or business credit card information, make sure that you have insurance coverage for fraudulent card charges and credit card brand assessments and fines—these can be large exposures when there is a significant data breach.
- If you do business with individual consumers and obtain their personal identifying information, make sure you have coverage (including attorney fees coverage) for the inevitable expenses of responding to informal inquiries and formal proceedings that ensue from state attorney generals, the FTC and others when a breach occurs (often implicating residents of several states).
- Make sure that your insurance covers breaches arising from mobile devices that may or may not be connected to the company’s computer network. More and more employees can access systems through tablets, smart phones, and PCs. The ever-growing size of hard drives and ubiquity of portable drives mean that some employees may create security risks, even when the device is not logged onto the company servers.
- Complete insurance applications carefully, including D&O applications. Underwriters will be focusing more and more on computer risk areas, and insurance application responses often are used against policyholders to contest insurance claims.
- Avoid cyber insurance policies with contractual liability exclusions. Contractual liability claims often are made in conjunction with statutory claims, negligence claims and other forms of relief, and policyholders are best off not enduring a huge allocation fight over what portion of the claim is covered in the eyes of the insurance company.
- If you are buying or renewing specialty cyber insurance policies, make sure that you are working with a very good and experienced broker. There is not presently uniformity of product in the cyber insurance marketplace, and lots of terms are open for negotiation. A good broker can help get you the best coverage.
- Provide notice to your insurance companies quickly after a breach. Early in the process of responding to a breach, the meter will be running on costs. When you have a breach situation, every second counts, and you undoubtedly will incur costs quickly for computer forensics, attorneys and other consultants. Providing proper notices and advising of these costs promptly can increase the odds of recovering these costs from your insurance companies.