[BreachExchange] Cyber policies start to show their limitations

Tue Jul 19 10:40:46 EDT 2016

http://www.businessinsurance.com/article/20160717/NEWS06/160719822/pf-changs-2014-data-breach-chubb-federal-insurance-cyber-insurance

Policyholders should be aware of potential gaps in their cyber insurance as
standardized language is still in the early stages of development and
policies can vary greatly in what they do and do not cover.

Experts say because standard policy language has not yet developed for
cyber risks, risk managers should watch out for inadequate sublimits and
that the insurance is highly unlikely to cover property and bodily injury
losses.

The warnings followed what may be the first ruling involving a cyber
insurance policy.

In the case, a federal judge in Phoenix ruled against Scottsdale,
Arizona-based P.F. Chang's China Bistro Inc. in a coverage dispute with a
Chubb Ltd. unit (see story, page 38). P.F. Chang's is appealing the ruling
to the 9th U.S. Circuit Court of Appeals in San Francisco.

Cyber policies are not like property policies, which “have been around for
20 years and where the language from one insurance company to another is
going to be very, very similar if not identical,” said Patrick X. Fowler, a
partner at Snell & Wilmer L.L.P. in Phoenix. “Cyber insurance is a
different animal because it is so new.”

“Many companies will have unique risks simply by virtue of the way they
conduct business or the type of business they're in or just the overall
risk environment that they face,” and customized coverage frequently is
necessary, said William Boeck, senior vice president, insurance and claims
counsel at Lockton Cos. L.L.C. in Kansas City, Missouri.

“This remains a highly manuscripted world,” said Thomas B. Alleman, a
member of law firm Dykema Gossett P.L.L.C. in Dallas. “The market is
evolving quickly, and I think the policy forms are evolving quickly.”

Make certain that coverage described on the declaration page of the cyber
policy is reflected in the rest of the policy, said Robert Parisi, managing
director and national cyber risk practice leader at Marsh L.L.C. in New
York. Just looking at the declaration page “doesn't tell the whole story,”
he said.

Make certain that exclusions “are appropriately narrow, so they don't take
away what you've bargained for,” said Russell P. Cohen, a partner

at Orrick, Herrington & Sutcliffe L.L.P. in San Francisco.

Experts also say buyers should make sure sublimits are adequate.

Breach response costs, including investigation, notification and public
relations, “can be subject to separate sublimits and, if (policyholders)
don't pay close attention, they may find that they maybe have a $1 million
dollar policy” but a sublimit of only $50,000 for notification costs, which
can be significant, said Matthew J. Siegel, a member of Cozen O'Connor in
Philadelphia.

Stephen D. Raptis, a partner at Manatt, Phelps & Phillips L.L.P. in
Washington, said retroactive dates should be checked in the cyber cover and
negotiated.

“I've seen more claims denied on that ground in these cyber policies than
on any other ground,” Mr. Raptis said of the issue that is a particular
problem for first-time buyers. If a cyber event occurred before the issue
date, “there's not going to be coverage,” he said.

In addition, some desired cyber coverage may not be available.

“With extremely rare exceptions” bodily injury and property damage are
never covered in cyber policies, said Mr. Boeck. “There's lots of debate
now about how these losses should be covered, and what policy should
respond.”

Another issue insurers are still “trying to wrap their arms around” is
reputational and brand damage caused by cyber beaches, said Roberta
Anderson, a partner at K&L Gates L.L.P. in Pittsburg, which she anticipates
will be offered in the next couple years.

Pointing to the P.F. Chang's ruling, which is of particular significance to
retailers, Ms. Anderson said it has become the market standard to cover
fees and assessments arising out of contractually-assumed Payment Card
Industry Data Security Standards, which was the case here. The better
policies “do a good job” of covering these liabilities, she said.

But John C. Pitblado, a shareholder at Carlton Fields Jordan Burt P.A. in
Hartford, Connecticut, said the P.F. Chang's case shows policyholders
applying for coverage should still ask about contractual liability
associated with business partners.

“It's an important issue when it comes to these new cyber policies,” Mr.
Pitblado said.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160719/96d5dd25/attachment.html>