[BreachExchange] Don't jeopardize your cyberinsurance claim

[Audrey McNeil]

http://www.propertycasualty360.com/2017/12/14/dont-jeopardize-your-
cyberinsurance-claim?t=cybersecurity?ref=featured-topics

Recent reports confirm that cyber insurance uptake is on the rise.

Driven by recent ransomware attacks, data breaches and a maturing
appreciation that 100% cybersecurity is a fiction, more companies are
looking to cyber insurance to transfer some of the risks associated with
these ever-increasing and serious threats.

But all cyber insurance policies are not created equal, and one size
definitely does not fit all insureds. It’s imperative, therefore, that
prospective insureds take steps to ensure that they’re purchasing the
appropriate cyber coverage to address their entity’s unique cyber risk
profile.

The insured’s work, however, is not over when the policy is bound. At that
point, it’s critical for companies to have a full understanding of their
affirmative obligations under the policy so that they do not inadvertently
jeopardize coverage in the event of a claim.

Market challenges

Currently, there is no standard cyber insurance policy form, and there can
be very significant differences in coverages, definitions and exclusions
from policy to policy. In addition, insurers frequently update and modify
their own policy forms in light of emerging threats and market developments.

Insureds can often choose from a selection of different coverage options
within an individual cyber policy. These apply to a variety of exposures,
such as third party liability, breach response, extortion, computer fraud,
regulatory defense, website media liability, and business interruption.

Today’s fluid and evolving cyber insurance market can make it challenging
for prospective insureds to meaningfully compare different insurers’
policies. For that reason, insureds often seek experienced advisers to help
them select appropriate coverage to address their specific cyber needs. An
advisor also can assist in negotiating better coverage terms, revision of
onerous policy conditions and requirements, and consent to use the
insured’s preferred vendors and consultants in the event of a cyber
incident.

As noted, a policyholder’s work is not finished once it has purchased a
cyber policy. The insured needs to be cognizant of the representations it
made to the insurance company in connection with procurement of the policy
and understand the affirmative obligations imposed on the insured by the
terms and conditions of the policy. Failure to do these things may put
coverage at risk in the event of a claim.

Avoiding missteps

Representations made to the insurer: Although there is no standard
application for cyber insurance, insurers usually ask for similar types of
information from a prospective insured, including customary financial data
about the company, such as assets and revenues, number of employees, and
planned merger and acquisition activity. In addition, cyber applications
typically seek, in varying levels of detail, information about the
applicant’s data-handling, privacy and cybersecurity practices.

Care should be taken to accurately complete the application, which will
become part of the issued policy. Input from a cross section of
stakeholders throughout the enterprise likely will be required to provide
factually correct answers to the insurer’s questions. Insurers may require
the company’s president, CEO, and/or CIO to sign the completed application
and attest to the accuracy of the company’s responses.

Inaccurate information provided in the application process may jeopardize
coverage in the event of a claim. For example, XYZ Ic. states in its
application that it always encrypts data containing personally identifiable
information (PII), and an insurer issues a policy in reliance on XYZ’s
representations. If XYZ were to be hacked during the policy period,
resulting in the theft of unencrypted PII, coverage for its claim may well
be at risk.

Similarly, if Company ABC represents that a qualified attorney approves all
website content in advance and disparaging claims against a competitor are
later posted on ABC’s website by an unsupervised employee, coverage for the
competitor’s claim may be affected.

Notice of Claim: Cyber policies routinely contain explicit provisions
concerning how and when an insured must provide notice of a claim.
Depending on the policy wording, factual circumstances and applicable law,
an insured’s noncompliance with this condition may provide grounds for its
insurer to deny the claim.

Cyber insurance notice conditions are anything but uniform. For example,
one policy contains the following provision: “The Insured’s duty to report
a Claim commences on the earliest date a written notice thereof is received
by an Executive Officer. If an Executive Officer becomes aware that a Claim
has been made against any Insured, the Insured, as a condition precedent to
any rights under any Third Party Liability Insuring Agreement, must give to
the Company written notice of the particulars of such Claim, including all
facts related to any alleged Wrongful Act, the identity of each person
allegedly involved in or affected by such Wrongful Act, and the dates of
the alleged events, as soon as practicable. The Insured agrees to give the
Company such information, assistance and cooperation as it may reasonably
require.”

The term “Executive Officer” is defined in that policy as “a member of the
board of directors, board of trustees, board of managers, board of
governors, officer, natural person partner, principal, risk manager, LLC
Manager, in-house general counsel, or branch manager of the Insured
Organization, or a functional equivalent thereof.”

In contrast, another policy contains a very different condition, requiring
notice: “upon knowledge of the insured organization’s President; members of
the Board of Directors; executive officers, including the Chief Executive
Officer, Chief Operating Officer, and Chief Financial Officer; General
Counsel, staff attorneys employed by the insured organization; Chief
Information Officer; Chief Security Officer; Chief Privacy Officer;
Manager, and any individual in a substantially similar position as those
referenced above, or with substantially similar responsibilities as those
referenced above, your respective of the exact title of such individual and
any individual who previously held any of the above referenced positions…”

Notice obligations vary greatly

As these examples illustrate, notice obligations can vary greatly from
policy to policy. Insureds are urged to examine the specific requirements
of their policy, including any excess policy(ies), and implement internal
processes to identify the individuals implicated by the policy condition
and instruct them in advance as to their responsibilities.

Prior consent: Cyber policies generally require the insured to obtain the
insurer’s “prior written consent” before expending funds in connection with
an event covered by the policy.

For an insured in the throes of dealing with a security breach, network
shutdown or ransomware attack, however, obtaining an insurer’s written
consent before addressing the situation may not be top of mind.

Consequently, insureds need to take note of their policy’s prior consent
provisions and incorporate those requirements into their incident response
plans and employee training programs.

Cyber insurance can provide a lifeline to companies suffering a cyber
incident. Prospective insureds that have a good understanding of their
unique cyber risk profile will be better able to select the appropriate
coverages, but they should then take steps to ascertain and operationalize
their policy’s various conditions and requirements so that they will be
less likely to put their coverage at risk when they need it most.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20171215/d0c218f2/attachment.html>