As more and more companies ranging across a wide spectrum of industries have been exposed to network and data security breaches, the market for insurance products to cover cyber risks has grown just as fast. With policies sold under names like “cyberinsurance,” “privacy breach insurance,” “media liability insurance” and “network security insurance,” the market is chaotic. Premiums and terms vary dramatically from one insurer to the next. And because cyber policies are far from uniform, it’s crucial to understand not only what you’re being offered, but also how to negotiate coverage for the risks inherent in your business. This post contains five of my top ten recommendations. (The remaining five tips are in Part 2.)
- Buy Only What You Need
Many cyber policies offer an “à la carte” option to purchase seven basic coverages. Three of those coverages involve third-party losses: (i) Privacy Notification and Crisis Management Expense, (ii) Regulatory Defense and Penalties, and (iii) Information Security and Privacy Liability. Two involve first-party “time element” coverage: (i) Business Interruption and (ii) Extra Expense. Two others provide first-party “theft of property” coverage: (i) Data Assets and (ii) Cyber Extortion. With all these bells and whistles, consider your specific risks and whether you really need all of the coverages offered. Always include notification, crisis management expense, and regulatory defense coverage. Time element coverage is also important, especially for small businesses, as lack of income for even a short period may be disastrous. If an insurer is unwilling to remove an objectionable exclusion or limitation from its policy, ask your broker to get bids from other insurers. The cyber insurance market is highly competitive, with many insurers currently focused on building market share. One might be willing to provide coverage or terms that another will not.
- Carefully Vet the Limits of Liability
The costs of responding to a data breach can be substantial. In 2014, the average organizational cost of a data breach was approximately $5.8 million. Response costs for breaches involving the loss or theft of personal data were as much as $950 per electronic record. To put that number in context, if plaintiffs in a class-action suit obtained a judgment under a state statute that imposes $1,000 in damages for each claimant, the judgment alone could consume $25 million of insurance policy limits. Cyber insurance is relatively inexpensive. Choose limits in line with your total potential exposure in the event of a breach. Your broker should be able to assist you in determining appropriate limits by utilizing its benchmarking databases. And be aware that most cyber policies impose sublimits on some coverages, such as for crisis management expenses, notification costs or regulatory investigations. These sublimits are not always obvious and are often inadequate. They should be scrutinized carefully and set realistically. Also, make sure that the policy’s aggregate limit applicable to all coverages is not less than the total of all sublimits.
- Obtain Retroactive Coverage
Many cyber policies limit coverage to breaches that occur after a specified “retroactive date.” In some, this date is the same as the policy’s inception date. This means there may be no coverage for claims made due to breaches that occurred before the policy period, even if the insured didn’t know about the breach when it bought the policy. Insureds should always ask for a retroactive date earlier than the inception date. Insurers do not always offer retroactive coverage unless asked, but it’s commonly available for periods of one, two, five or ten years. Some offer unlimited retroactive coverage.
- Beware of Broadly Worded Exclusions
It’s not uncommon to find cyber insurance provisions that contradict the insured’s basic purpose in buying the coverage. Sometimes these provisions have been cut from other insurance policy forms and pasted into cyber insurance forms where they don’t belong. To cite one example, some policies broadly exclude coverage for any liability arising from a breach of contract. Many insureds collect and store confidential information from customers, patients or business partners under contracts that require them to maintain its confidentiality. They buy cyber insurance precisely to protect them in case a privacy breach gives rise to damages claims under such confidentiality agreements. Many insurers, if asked, will modify exclusions to make it clear that they won’t bar coverage for claims that go to the core of an insured’s business. Such broadly worded exclusions need to be reviewed carefully and narrowed to make sure that they won’t defeat the insured’s reasonable expectations in buying cyber insurance.
- Beware of Panel and Consent Provisions
Many cyber policies require the insured only to use investigators, consultants or attorneys drawn from a list pre-approved by the insurer. If you’d like your own consultants and attorneys to be involved because they already know your business, it’s a good idea to ask to add these professionals to the insurer’s pre-approved list during the underwriting process. Cyber policies also often contain provisions requiring the insured to obtain the insurer’s consent before incurring any expenses to notify customers or patients of a data breach, conduct forensic investigations or defend against third-party claims. Insurers sometimes invoke such prior consent provisions to deny coverage when emergency costs have been incurred without the insurer’s consent, even if the costs are entirely reasonable and necessary. If prior consent provisions cannot be removed from the policy, you should, at a minimum, change them to provide that the insurer’s consent “shall not be unreasonably withheld.” It’s also a good idea to keep your insurer on speed dial when a breach happens so that it cannot assert that it’s been kept in the dark about emergency-response costs you incur.