[BreachExchange] Cyber Insurance: Common Pitfalls of the Insured

Thu Sep 15 20:24:21 EDT 2016

http://www.jdsupra.com/legalnews/cyber-insurance-
common-pitfalls-of-the-88012/

As we have noted in a number of recent posts, tech companies need cyber
insurance. The risk of not having it is simply not worth it.  But cyber
insurance policies can be confusing to understand because the policies vary
depending on your type of business, business needs, and how your customers
are serviced. Some companies might need a combination of cyber policies in
order to have complete cyber insurance coverage. It is very important to do
your due diligence, think critically about the cyber insurance needs of
your company, and find a policy that covers all of your company’s cyber
risk.

Companies must pay attention to the details of the cyber insurance policy
and be both clear and accurate about the representations they are making in
the application for coverage. The insurance industry makes money by
collecting premiums and minimizing claims. This creates a natural tension
between the policyholder and carrier.  When a company makes a claim, it
would like to get the benefit of the bargain it made with the insurer. That
benefit is for the insurer to pay for the claim. The insurer agrees to pay,
as long as the claimant has met all of its obligations under the policy.

In certain cases, coverage can be denied where a policyholder fails to meet
all of its policy obligations.  Say, for example, you’re the policyholder.
You suffer a data breach, resulting in a class action lawsuit seeking
millions of dollars in damages. You make a claim under the cyber insurance
coverage.  But your carrier discovers that you didn’t follow all of the
data security protocols you represented that you follow in your application
for coverage. Your carrier takes the position, based on your data security
failures, that your representations about your data security in your
application were false when they were made, and it denies coverage.  Before
you know it, you’re in litigation not only with a class of data subjects,
but with your insurance carrier as well.

There are a few take-home lessons here. First, make sure that the cyber
insurance application is vetted by the experts in the business to validate
its accuracy and completeness.  A cyber insurance application is not the
place to puff, overstate, or otherwise be aspirational or not quite
accurate.  Second, assuming the application was correct when it was
submitted, it must continue to be correct, and if there is a material
change, you should notify your carrier. Once a company receives coverage
based on a set of representations about ongoing data security practices,
those representations must continue to remain true.  Third, make sure you
know what the policy covers and excludes. Insurance policies are not easy
to read and understand, so this is an important piece of work.

Cyber coverage is absolutely worth it.  Hopefully you never need to use
it.  However, in the event that you do need it, make sure you do the right
work on the front end to enhance your likelihood of having a claim
successfully processed.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160915/cd300da6/attachment.html>