High-profile cyber security events over the past few years have caused alarm among many US companies. We now know that, in addition to potentially losing customers' personally identifiable information (PII), companies can suffer operational downtime, extortion threats, stolen confidential business information and even property damage because of cyber attacks and other events. Many companies are turning to cyber insurance to protect themselves against these and other risks. But cyber insurance is not standard; there is wide variation in policy language among insurers and the policies can be modular with various optional coverages. Without careful consideration and negotiation, your company's cyber insurance may not provide necessary and expected coverage. In-house lawyers should be intimately involved in the purchase and annual renewal of cyber insurance, helping match the coverages and policy terms to the business's unique risk profile.
Here are the Top Ten issues in-house counsel should look for when advising their companies on cyber insurance purchases and renewals:
1. What constitutes a covered data security breach?
Cyber insurance policies commonly cover the company's first-party losses resulting from a data security breach, including forensic investigation costs, attorneys' fees, public relations costs, customer notification costs, as well as the cost of providing credit monitoring and call center resources to affected individuals. However, the company is only entitled to coverage for these losses if the data security breach qualifies for coverage under its policy. Some cyber insurance policies only cover data security breaches affecting the company's "computer system." If the company stores personally identifiable information for which it is responsible with third parties or in the cloud, coverage might not be available for an attack a third-party system if the policy defines "computer system" to include only the hardware that insured organization owns or controls. As a result, confirm that the cyber insurance policy covers all data security breaches implicating information stored with third parties for which the insured organization is responsible.
2. Does the proposed policy cover data security breaches involving confidential corporate information?
Many companies do not believe they need cyber insurance because they are not retailers or hospitals, which collect massive amounts of PII and are obvious targets for cyber attacks. But cyber insurance can be triggered by the loss or theft of confidential corporate information. If your company holds confidential information of third-party businesses, ensure that the policy covers breaches involving this type of information and understand what exactly qualifies as "confidential corporate information." Some policies are very specific in requiring that the information be expressly identified in a written contract. Other policies are more lax, merely requiring that the policyholder has agreed to maintain the information's confidentiality or not defining "confidential corporate information" at all.
3. Does the proposed policy cover the cost of restoring damaged or destroyed data?
Not all cyber insurance policies will reimburse the company for the costs it incurs restoring damaged or destroyed data. If the risk of losing valuable trade secrets or customer information is large for your company, consider asking for this specific type of coverage.
4. Is the cyber extortion and ransomware attack coverage sufficiently expansive?
Most cyber insurance policies offer some form of cyber extortion and ransomware coverage, which will pay for the costs the company incurs in responding to an extortion demand or ransomware attack, as well as any extortion payment. However, be aware of some possible limitations on this coverage, which often can be addressed through negotiation when purchasing or renewing the policy. First, the coverage might not expressly apply to extortion payments made with cryptocurrency, such as Bitcoin. Ask not only for this to be included in the policy, but also that the insurer is able to make a Bitcoin payment on short notice. Second, be aware of sublimits that might restrict the amount of coverage available for cyber extortion or ransomware attacks, as these often can be negotiated upward. Third, ensure that the business interruption coverage (see below) afforded by the policy applies in the event of a cyber extortion attempt or ransomware attack that impairs the company's computer systems.
5. What kinds of business interruption coverage does the proposed policy provide?
Your company's cyber insurance policy may provide business interruption coverage for lost revenues caused by computer system downtime in the wake of a cyber attack. It pays to carefully negotiate the business interruption coverage necessary to protect your company against business income loss and "extra expense" associated with mitigating that loss. If your business relies on third-party computer systems, be sure to ask for contingent, dependent business or "outsource provider" business interruption coverage. Direct business interruption coverage likely will not cover your company's losses for downtime caused by an attack on a third-party computer system. Contingent, dependent business or outsource provider will do so, but is often not initially included in an insurer's cyber insurance quote. Also see whether your company can buy "system failure" coverage, which would reimburse lost revenues caused by a third-party system's downtime resulting from something other than a cyber attack, such as a faulty software update or a negligently performed operation.
6. How much business interruption coverage does the proposed policy provide?
Business interruption coverage often is subject to a sublimit, and insurers often place quite low sublimits on contingent business interruption coverage. You may be able to negotiate a higher sublimit, particularly by identifying a few key third-party providers on whose systems your company relies. Also, business interruption coverage will be subject to a waiting period or time deductible before it kicks in. Insurers have been reducing these over the past year, in some cases to less than 12 hours. Your company likely will want to have the shortest waiting period or time deductible possible.
7. Does the proposed policy cover likely third-party liability claims against your company?
Cyber insurance typically will cover the company against defense costs and liability in consumer class actions arising from a data security breach. But your company many face an array of other claims by clients, business partners, vendors and others for harm they suffer as a result of an alleged error or omission in the performance of services. Fortunately, cyber insurance is often combined with "technology errors and omissions" liability coverage. Review the policy's definition of technology or professional services to be sure that it is broad enough to capture your company's business operations and activities. Ensure that the policy covers liability for breach of contract if your company typically provides services pursuant to contract. Confirm that the policy covers errors or omissions in technology products if your company manufactures, distributes or sells them.
8. Does the proposed policy cover regulatory claims?
Many cyber insurance policies will cover defense costs and liabilities incurred in claims against the company by regulators. But there can be substantial restrictions. The regulatory claim coverage often only applies to claims by certain regulators, such as a state attorney general, the Federal Communications Commission or the Federal Trade Commission. If your company is in an industry regulated by a different regulator that is not identified, ask that it be added. For example, utility companies may face regulatory scrutiny on cyber security issues by specific federal, state and local government agencies that are not typically identified in these coverages, and they should added to the policy if possible.
9. Does the proposed policy cover Payment Card Industry Data Security Standard (PCI-DSS) fines and assessments?
Data security breaches involving stolen credit card information often result in fines and assessments being imposed on the company by the banking industry for various costs associated with cancelling and reissuing of credit cards to affected consumers. These fines can reach well into the millions of dollars. Many cyber insurance policies cover this type of loss, but not all. See P.F. Chang's China Bistro, Inc. v. Federal Ins. Co., NO. CV-15-01322 (D. Ariz. May 31, 2016) (finding no coverage for PCI-DSS assessments where policy did not expressly provide coverage for it).
10. Does the proposed policy give the company sufficient control over the investigation of cyber security incidents and defense of claims?
Cyber insurance policies usually require insureds to select forensic investigators and law firms from a pre-approved "panel" or list of providers. Are the vendors and law firms that your company would want to retain in high-profile matters on that list? Be sure that they are, or if they are not, ask the insurer whether it will approve them in advance. Otherwise, precious time, energy and money could be lost at the outset of a response effort negotiating with the insurer over who can represent the company. Additionally, some cyber insurance policies impose a duty to defend on the insurer. While this might provide some advantages to the policyholder in terms of the scope of the defense available, it may place the selection of defense counsel and certain decisions relating to the defense and settlement of claims in the hands of the insurer. Carefully consider whether your company will want more control over its investigation and defense, and attempt to work out all these arrangements before the policy is placed.
Cyber insurance can provide valuable coverage in the event your company suffers a cyber security incident. However, without forethought and negotiation, there is a real risk that your company will not have all the coverage it needs and expects when the time comes to use it. In-house lawyers should work closely with their company's finance and risk management groups, as well as insurance brokers and outside counsel, to match the cyber coverages and policy terms available to the company's unique risks and exposures.