Cyber security promises to remain at the forefront of the minds of financial institutions’ directors, officers, IT professionals and risk managers, and rightfully so. However, inadequate attention is often paid to financial institutions’ cyber liability insurance, both in applying for (or renewing) the insurance or in securing state-of-the-art improvements to the terms and conditions of the policy. While the unabated changes to cyber threats and regulatory requirements require vigilance, financial institutions must apply similar attention to the asset most likely to respond if a hack or other privacy event.
Broadly speaking, cyber liability insurance provides coverage for first-party loss or third-party liability a business may face in the wake of a data breach or hacking event where personally identifiable information has been compromised. Additionally, the policies often provide reimbursement for losses arising out of business interruption, cyber extortion, computer fraud, or lost data, among others.
But as losses under cyber liability insurance policies mount, insurers have used the uncertainty of an ever-shifting landscape to find novel ways to seek to disclaim coverage. While a full privileged policy audit can identify potential gaps in coverage and recommend a strategy for securing the broadest coverage, a few areas deserve special mention here because they are the focus of recent cases or arguments made by insurers:
- Mind Your Application. Cyber insurance applications have been asking for more and exceedingly detailed information. Insurers have attempted to use any deviations from the information provided as grounds to rescind (in effect, cancel) the insurance policy.
- Broad Exclusions Meant for Other Risks. Certain exclusions (e.g., liability arising from war or terrorism) can be written so broadly as to sweep in many types of cyber-attacks that were never intended to be excluded.
- Not All Hacks Are Created Equal. Many popular hacking methods, such as social engineering schemes, may not be covered under policies where policy language has not been updated from year to year.
- Make Sure Your Insurer Knows Cyber Liability. While the significant claims history on cyber liability insurance policies has scared some underwriters away from the market, there are still a lot of insurers that do not understand the risk they are underwriting. In claims situations, those can often be the most challenging to deal with.
- Retroactive Dates Can Come Back to Bite You. Retroactive dates in cyber liability insurance can be significantly more damaging to coverage than other types of insurance policies where many hacks are not discovered for months after the system was first penetrated.
- Cyber Response Plans Must Include Insurance Requirements. Any effective cyber or privacy event response plan must outline requirements for notifying insurer(s), how best to document losses, and understanding whether you will be able to retain the counsel and vendors of your choice or whether the insurer will select them for you.
There are of course many other important and complicated aspects to a sound cyber liability insurance policy, but with careful consideration and time spent understanding the policy and the process of securing it, many of the pitfalls can be avoided so that your company can focus on managing the hacking or privacy event.
For more information, please contact your Michael Best attorney or Eric G. Barber at firstname.lastname@example.org or 608.283.4424.