Cyber Security and Insurance Coverage Protection: The Perfect Time for an Audit by Lynda Bennett
2014 ended almost the same way that it began for most companies – having concerns about cyber security and hackers. At the beginning of the year, the news cycle was focused on breaches that took place in the consumer product space as Target, Michael’s, Neiman Marcus, and Home Depot worked fast and furious to address breaches that led to concerns about a massive amount of credit card information possibly being “in the open.” Later in the year, we learned that corporate giants like JPMorgan Chase and Apple were not immune from cyber security breaches as still more personally identifiable information and very personal photographs were released into the public domain. Finally, as 2014 drew to a close, the entertainment industry was further rocked by the cyber-attack on Sony Corp., which led to even broader concerns about national security and terrorist threats.
Cyber Security and Insurance Coverage Protection: The Perfect Time for an Audit
1. The Insurance Coverage Law Information Center
The following article is from National Underwriter’s latest online resource,
FC&S Legal: The Insurance Coverage Law Information Center.
CYBER SECURITY AND INSURANCE COVERAGE PROTECTION:
THE PERFECT TIME FOR AN AUDIT
Lynda A. Bennett
February 23, 2015
2014 ended almost the same way that it began for most companies – having concerns about cyber security and hackers.
At the beginning of the year, the news cycle was focused on breaches that took place in the consumer product space as
Target, Michael’s, Neiman Marcus, and Home Depot worked fast and furious to address breaches that led to concerns
about a massive amount of credit card information possibly being “in the open.” Later in the year, we learned that
corporate giants like JPMorgan Chase and Apple were not immune from cyber security breaches as still more personally
identifiable information and very personal photographs were released into the public domain. Finally, as 2014 drew to a
close, the entertainment industry was further rocked by the cyber-attack on Sony Corp., which led to even broader
concerns about national security and terrorist threats.
All of these serious and large-scale risks led many companies to evaluate their current insurance profile, with a specific
eye toward determining how much, if any, insurance coverage they have for cyber liabilities and losses. Many companies
were surprised to learn that their current coverage profile was less than complete. Then they learned that the process of
considering and placing a new, standalone cyber insurance policy is complicated because there are so many different
policy forms on the market today and their current insurance broker relationships may not be sufficient to navigate the
complexities of placing cyber coverage.
Thus, with 2015 underway, now is the perfect time to conduct an audit of your existing insurance program and to address
any gaps in coverage that may exist with respect to cyber risks. To aid in that process, this article provides an overview of
the current state of play for coverage under “traditional” and “new” cyber insurance policies and provides guideposts
that should be followed to avoid unwelcome surprises after a breach has occurred.
Cyber Coverage Is Quickly Disappearing From “Traditional” Insurance Policies
Nearly all companies have commercial general liability insurance (“CGL”), which protects against third party liabilities,
and first party property insurance coverage, which protect personal property and usually provide some form of business
interruption coverage. Most companies are unaware that these “traditional” insurance policies offer very little to no
protection against cyber risks.
The mischief began all the way back in the late 1990s when companies were worried that Y2K would shut down their
computer systems. While companies were spending multimillions of dollars to correct the Y2K problem, the insurance
industry got “out front” on the issue, placing “absolute” Y2K exclusions in their policies and modifying the definition of
property damage to state that electronic information and data did not qualify as covered “tangible” property.
After 2000 came and went, most companies stopped looking at the Y2K exclusion that carried forward into their renewal
policies. Therefore, they did not notice that the Y2K exclusion morphed over time into a broadly worded exclusion that
may bar coverage for a wide variety of electronic-related risks and liabilities. Moreover, last year, the Insurance Services
Office approved the use of a specific “data breach” exclusion in CGL policies that bars coverage for claims arising from
any access to, or disclosure of, any person’s or organization’s confidential or personal information including:
- patents;
- trade secrets;
- processing methods;
Call 1-800-543-0874 | Email customerservice@SummitProNets.com | www.fcandslegal.com
2. - customer lists;
- financial information;
- credit card information;
- health information; or
- any other type of nonpublic information.
In short, the insurance industry has taken several and repeated steps to eliminate cyber coverage from “traditional”
insurance policies. Companies currently engaged in the renewal process should be aware of the new ISO exclusion and
should work closely with their insurance professionals to avoid inclusion of this endorsement and/or explore whether it
may be narrowed in scope.
Companies also should keep in mind that “older” CGL policies that do not contain the exclusions discussed above
remain available to respond to claims that are made in 2015 as long as the alleged injuries took place during the “older”
policy periods. When in doubt, provide notice of the claim and work closely with insurance professionals to determine
whether and how far to push for coverage.
Cyber Coverage “With Strings”
Some “traditional” policies may still provide coverage for cyber-related risks but that coverage may be substantially
scaled back through the use of “sublimits.” Unfortunately, most companies do not appreciate the importance of a
sub-limit until after a loss has occurred and the insurer pays the claim only up to the applicable sub-limit.
By way of example, a professional liability (“E&O”) policy may be sold to a technology-based company showing a $5
million limit of liability. However, further embedded in the declarations page of the policy, the insurer may agree to
cover losses flowing from a data breach or service interruption but the coverage is subject to a $250,000 sublimit (which
oftentimes is inclusive of defense costs). This means that when the company is sued by a client or any other third party
for a hacking event, the maximum amount of insurance coverage available to defend the claim and resolve the loss will
be $250,000 which, as most companies know, is an insignificant amount when dealing with a security breach.
Again, to avoid this kind of unwelcome surprise, companies are well-served to have an insurance professional conduct
a careful audit of the coverage provided.
Stand Alone Cyber Liability Policies – The Future is Now
The erosion, and downright disappearance, of coverage under traditional policies is not an accident. Rather, the
insurance industry wants to isolate and price cyber liability risk separately and issue standalone insurance policies to
cover such risks. This is not a new phenomenon as companies experienced a similar transition when employment
practices and pollution legal liability policies were introduced into the insurance market in the mid to late 1990s.
At present, the cyber insurance liability market is still in the early and developmental stage. Therefore, companies have
many different policy forms to choose from and pricing arrangements are varied. Many cyber policies offer coverage on
a Chinese takeout menu basis where companies must decide which coverages to purchase and whether to agree to
sub-limits on certain of those coverages. The definitions used in the policy forms vary in material ways and the scope of
coverage provided to entities/persons insured is also diverse.
The biggest mistake for a company to make is to assume that its current insurance program is sufficient to cover any
and all cyber risks that may be presented in the future. Indeed, even the newest cyber liability policies must be carefully
scrutinized in the wake of the recent Sony breach, which may have involved an element of terrorism. Some cyber policies
contain a broadly worded “war” exclusion that bars coverage for claims arising out of war, invasion, acts of foreign
enemies, hostilities, warlike operations, and a host of quasi-military related activities.
The best way to ensure that your company is protected against cyber security and hacking risk is to assemble a team of
skilled insurance professionals and conduct a careful audit of existing and available insurance policies.
Call 1-800-543-0874 | Email customerservice@SummitProNets.com | www.fcandslegal.com