Insuranceciooutlook

Top 3 Blind Spots in your Cyber Insurance Coverage

By Florence Levy, SVP-Cyber/E&O Practice, JLT Specialty USA

Florence Levy, SVP-Cyber/E&O Practice, JLT Specialty USA

Cyber risks are ubiquitous in today’s modern world, stemming from a heavy reliance on technology to conduct business, provide services, and to improve connectivity and speed. There are many aspects of cyber risk that should be addressed within organizations, including the identification, quantification, and mitigation of network and privacy risks. While the use of software, hardware, contracts, in addition to monitoring threat intelligence, policies and procedures, and internal training is all important aspects of cyber risk mitigation. An enterprise’s wide view of cyber risk would also include risk transfer via an insurance policy. However as a last stop in that continuum, to use as a safety net should your company suffer a loss caused by a cyber or privacy event?

"Cyber insurance procurement has experienced a significant up-swing in the last several years"

Cyber insurance procurement has experienced a significant up-swing in the last several years, largely due to real losses attributed to such coverage along with the evolution of coverage to respond to clients’ needs. The evolution of such coverage is vast–from very specific computer attack as it triggers to the broader concept of economic damage of privacy risks, both online and offline. Policies now offer both liability coverage and first party response coverage in the event of an incident. The breach response services element of the coverage has gained traction over the years, particularly for companies who do not have the resources to handle such events in-house. Policies evolved to include regulatory coverage, cyber extortion, network interruption, and expanded media coverage. While the efficacies of the policies today have been proven through high-profile breaches with the existence of large and exhausted insurance towers, it’s important to note the three blind spots in such policies prior to purchase.

1. Retroactive Dates

Liability insurance policies include both dates of inception and the retroactive date. The date of inception is the date such policy was purchased, or renewed. The retroactive date is a more complex concept, which reflects the date by which a “wrongful act” or “incident,” as defined under the policy, must have occurred on or after. Many cyber purchasers are new to the coverage, and it is common in almost all industry standards for carriers to utilize a retroactive date as the same date the buyer first purchases the coverage (subsequently the retroactive date should be preserved year over year as long as there is no gap in coverage). The trick here can be that wrongful acts under a cyber policy, such as the date a hacker or an unauthorized user first penetrated your system, but went undetected, may occur well before the Insured becomes aware of such activity. From the underwriter’s perspective, they have not underwritten to the Insured’s risk at the time that such activity may have occurred, but instead to your security and privacy risks at the time of first purchase. From an Insured’s perspective, as long as they were unaware of the activity or harm, Insured’s prefer to back-date such coverage to take widespread latent breach issues into consideration. The carriers vary in their handling of such requests – some may consider backing a retroactive date for a couple of years maximum, but will usually only do so with a robust warranty statement (no claims declaration) and a request for additional premium for taking on the perceived additional risk. The most important thing is that the Insured is aware and understands how the policy works in terms of differentiating between the wrongful act/threat itself versus knowledge of such wrongful act/ threat.

2. Regulatory Coverage

Regulatory coverage under cyber policies is limited to costs to respond to governmental inquiries and investigations, resulting from a security event or privacy breach. It does not extend to any type of regulatory event, and for most policies there still needs to be a privacy or security event, as defined under the policy, for coverage to be triggered. For example, an investigation around specific security levels and subsequent fines, penalties or settlements as a result may not be covered. A recent case involving Henry Schein, a dental practice software provider, highlights the latter limitation. Henry Schein was investigated by the Federal Trade Commission (FTC) on an allegation that the company falsely advertised the level of (industry standard) encryption provided to protect patient data held by dental practices (FTC, 2016, p. 4).Under the FTC consent order, Henry Schein was required to pay $250,000 to the FTC to settle the investigation alleging poor encryption levels and misleading consumers regarding said encryption. Without specific knowledge of Henry Schein’s E&O/Cyber program, it seems unlikely that this settlement would be covered under the policy unless there was a security or privacy incident that led to the allegation. It is important for Insured’s to understand some of the limitations of the various insuring agreements and to apply unique fact situations to policy language.

3. Forensic Costs Under Breach Response Coverage

Standard forensic computer consultant costs under a cyber policy are triggered when a privacy or security event has occurred, and the Insured expends its own costs to hire an outside consultant to conduct an investigation to determine the cause, scope, and severity of the event. What is unclear in some cyber policies is the extent of what an “investigation” is intended to cover. Oftentimes, the computer forensic consultant not only detects the cause of the incident and puts parameters around the potential harm it may have caused, but, during the same investigation, these consultants extend their service to a further analysis of the corporate network, ongoing monitoring, and/ or recommendations and actions to eradicate further harm to the network. The key to this coverage grant will likely be the scope of work provided by such consultants, and perhaps additional vendors, to conduct such investigation. Additional remediation efforts that improve or enhance network security are unlikely to be considered costs under most cyber policies. Communication between the Insured and the carrier around salient issues like, when the investigation begins and ends, the extent of the additional services offered, and the length of longer term monitoring are key to properly managed claim adjustment process.

The three “blind spots” as described above are some of the more nuanced coverage issues in a cyber policy that Insured’s should be discussing with their brokers and insurers. Every cyber insurance policy is different– with varied terms, conditions and definitions, and should be reviewed individually for specific coverage grants, exclusionary language that may carve those coverage grants back, other terms and conditions, and alignment with the Insured’s risk profile. It is important to recognize some of the limitations under these policies, while also noting that cyber policies have proven valuable in today’s rapidly evolving risk environment.

Read Also

Ensuring your Seat on the Leadership Table

Ensuring your Seat on the Leadership Table

David Otte, CAO and Former CIO, Bingham Greenebaum Doll LLP
Business Intelligence Contextual Delivery: A Necessary Ingredient To Create and Maintain a Lean Organization

Business Intelligence Contextual Delivery: A Necessary Ingredient To Create and Maintain a Lean Organization

Benjamin Bomhoff, Vice President of Enterprise Systems, Security First Insurance Company