This post is a continuation of my top ten recommendations for negotiating your cyber insurance policy. The first five tips are in Part 1.
- Consider the Allocation of Defense Costs
Where both covered and non-covered claims are asserted in the same lawsuit against the insured, an issue often arises regarding the proper allocation of defense costs. What portion of the insured’s defense costs must the insurer pay? For example, some policies provide that the insurer will pay 100% of defense costs if the lawsuit alleges any claim that is potentially covered. Others say that the insurer will only pay the portion of defense costs it unilaterally believes to be covered until a different allocation is negotiated, arbitrated or judicially determined. These issues are less likely to arise in a “duty to defend” policy (where the insurer must assume the insured’s defense of any third-party claims), which typically covers 100% of defense costs so long as any of the claims against the insured is potentially “covered.” But under a “duty to reimburse” policy (where the insurer agrees to reimburse the insured for its defense costs or pay them on its behalf), allocation is more likely to be disputed. It is important to understand the allocation method contained in the policy. Try to negotiate one upfront that’s favorable to you.
- Obtain Coverage for Vendor Acts and Omissions
Chances are that at least a portion of your organization’s data processing and storage is outsourced to a third-party vendor. Therefore, it’s crucial that your cyber policy covers claims against you that result from breaches caused by your data management vendors. It’s widely understood in the insurance industry that policyholders expect coverage for claims that arise out of the acts and omissions of their vendors, consultants and subcontractors. If such coverage is not initially offered, or is at all ambiguous, you should demand that it be clearly included in the policy.
- Dovetail Cyber Insurance with Indemnity Agreements
You should also ensure that your cyber policy and vendor indemnity agreements complement each other so you can maximize your recovery from both sources. Some cyber policies state that the deductible or self-insured retention “shall be borne by the insured [and remain] uninsured at its own risk.” Some insurers may interpret this language as requiring the insured to pay the deductible or retention out of its own pocket, and argue that if the insured gets reimbursed for this amount from the vendor that caused the breach, then it has failed to satisfy this precondition to coverage. This kind of clause can present you with a Hobson’s Choice: either pursue indemnity from your vendor and give up your insurance, or collect from your insurance company and let the responsible vendor off the hook. This unfair outcome is not in the interest of either insurer or insured. As a result, insurers are often willing to modify these provisions to clarify that the insured can collect its self-insured retention from a third party without compromising its insurance coverage.
- Align Cyber Insurance with Other Insurance
Some cyber policies also cover claims made against you for losses caused by data breaches suffered while the data is in your third-party vendor’s custody. There may be business reasons for wanting vendors to be insured under your policy, but it’s generally better to contractually require your vendors to obtain their own cyber insurance to act as the primary coverage for claims, naming you as an additional insured. Then, arrange for your policy to state that it will only apply to claims against you arising out of your vendor’s data breach in excess of that vendor’s insurance. This structure can reduce the odds that your insurance policy limits will be depleted by claims for which your vendors are primarily responsible.
- Get a Partial Subrogation Waiver
If your insurer pays a loss, it may become “subrogated” to your claims against any third parties that were responsible for causing the breach. This means that the insurer can try to recoup its payment to you by pursuing your claims against the responsible parties. Many cyber policies contain a provision stating that you cannot take any action to impair the insurer’s subrogation rights. But contracts with data management vendors commonly include limitation of liability provisions. And cyber insurers may then contend that you breached your insurance contract by impairing or limiting your insurer’s recourse against the culpable vendor. A possible fix is to insist that a partial “waiver of subrogation” provision be added to your cyber policy. Such provisions, which are quite common in other lines of coverage, simply provide that the insurer will not assert that its subrogation rights have been impaired by any contract into which you entered before a loss occurs. Some insurers are willing to agree to such provisions in the cyber context, but others may not be. If your insurer is not willing to give a partial subrogation waiver, consider shopping elsewhere.