[BreachExchange] 4 pitfalls to avoid in a cyber insurance policy

Audrey McNeil audrey at riskbasedsecurity.com
Mon Apr 17 18:52:40 EDT 2017


http://www.propertycasualty360.com/2017/04/17/4-pitfalls-to-avoid-in-
a-cyber-insurance-policy?t=cybersecurity?ref=channel-feature

As more and more companies enter the burgeoning cyber insurance
marketplace, they often ask policyholder counsel like me how they can
choose the best cyber policy when confronted with so many choices.

When the marketplace was still in its infancy just a few years ago, this
was a considerably harder question because the policy forms, including the
scope of first party and liability coverages being offered by different
insurers, varied so drastically. But as the cyber insurance marketplace
enters its adolescent stages, there is beginning to be more standardization
in available coverages and exclusions, at least at a high level.

But what has not changed is that many key terms of these policies remain
negotiable (considerably more so than for other types of insurance
policies), and the courts have been presented with few opportunities to
provide guidance on how key provisions in these policies are likely to be
interpreted.

The net result is that prospective policyholders can and should continue to
negotiate aggressively in the underwriting process, especially when
purchasing cyber coverage for the first time. But what provisions should a
prospective policyholder be most concerned about? The answer depends
largely on the most prevalent risks faced by individual companies, which
are unique to them.

However, there are some provisions common to many cyber policies that, in
my view, present risk to all policyholders due to imprecise or
inappropriately restrictive coverage language. Because these provisions are
almost certain to be the basis of numerous denials of coverage, they are
likely to be tested in litigation in the next few years and deserve
particular focus by prospective policyholders. Some of these looming
battleground provisions include:

Retrospective dates


Most cyber policies are subject to a specified retrospective date, which
means that liability claims, such as data breaches, arising from events
occurring prior to that date are not covered. Often, the insurer will set
the retrospective date at the inception date of the first policy the
insurer issues to a particular insured. This can be a significant problem,
especially for first-time insureds, due to the close temporal proximity
between the retroactive date and any potential claims.

To make matters worse, many cyber policies contain language purporting to
relate all causative events back in time to the date of the initial
causative event. In many cases, this problem will begin to alleviate itself
over time if the policyholder renews its cyber policy with the same insurer
(i.e., the retroactive date will remain fixed at the initial inception date
as successive policies are issued). That said, I still see more cyber
claims denied on this ground than any other.

Some cyber insurers will agree to backdate applicable retroactive dates for
prospective policyholders and some will not. Particularly with respect to
the latter, significant factual disputes regarding the specific events
precipitating an otherwise covered claim are entirely foreseeable. The
complex technical aspects of data networks and the inherent uncertainties
regarding the genesis of many breaches are likely to exacerbate these
disputes even further.

Unauthorized access to computer systems


Many cyber policies provide coverage only where access to the insured's
computer system is "unauthorized." Some insurers will argue that this
precludes coverage where an employee negligently provides access (such as
losing his or her password) or is tricked into providing access (such as in
a spear phishing attack).

Some insurers have sought to clarify the scope of "unauthorized access" by
defining that term in their policies, but others have not. Like many cyber
policy provisions, the scope of this definition may be negotiable, and any
ambiguities should be resolved in favor of the policyholder under general
principles of insurance policy interpretation. But given the
ever-increasing frequency of cyber fraud and the ever-increasing ingenuity
of cyber fraudsters, the extent to which there is coverage under
cyberpolicies for unintentional but arguably authorized access to computer
systems is likely to be disputed vigorously.

War and terrorism exclusions


Many cyber policies exclude loss arising from acts of war and terrorism,
and define those terms broadly. Because these exclusions are carryovers
from older types of liability policies, they often are overlooked as mere
boilerplate for companies whose operations are largely domestic. But the
danger of these exclusions in the cyber context, if not worded
appropriately, is that they potentially preclude coverage for cyber attacks
initiated by individuals or entities in foreign countries, where many of
the most serious attacks originate.

I have seen a number of these exclusions in which the insurer could make a
reasonable argument that a state-sponsored attack by a foreign government
(e.g., the North Korean attack on Sony), or even loosely affiliated groups
or individuals with a particular political or social agenda, fall within
the scope of the exclusion. Because cyber attacks by foreign entities are
now so ubiquitous, this should be a serious concern for policyholders, not
just an academic discussion.

Some insurers are now willing to negotiate a more appropriate scope of
these exclusions (e.g., carving "cyberterrorism" out of the exclusion). But
for insurers that refuse to negotiate this language, the extent to which
attacks originating abroad constitute acts of war or terrorism is likely to
be a hotly disputed issue.

Exclusions for generalized acts or omissions


Some cyber policies exclude coverage where the insured fails to follow
"minimum required security practices," employ "best security practices," or
comply with its own security policy. In my view, these exclusions are
inappropriately overbroad and lend themselves to subjective application.

Even though these exclusions are becoming far less common in cyber policies
(probably due to marketplace pressures to remove them), they still persist
in some cyber policy forms. In fact, one of the few coverage lawsuits filed
to date involving coverage under a cyber policy was focused on precisely
this issue (although it was dismissed on other grounds). As long as these
exclusions persist, their inherent ambiguity and uncertain application are
likely to make them the subject of considerable dispute.

If you have any doubts about whether your company is getting the most bang
for its buck when buying cyber coverage, ask your broker specific questions
and consult with coverage counsel experienced in cyber policies.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170417/d7cfac5e/attachment.html>


More information about the BreachExchange mailing list