Authors
Read time: 8 minutes
Having been on the market for only a little more than a decade, cyber insurance remains a relatively new product with little standardization of policy language across cyber policies. Compounding this is the fact that insurance companies’ views of where risk lies and how much it costs to transfer those risks continue to evolve, resulting in continual changes to their cyber policy forms. Given the lack of standardization across policies, it is useful to think in terms of prior claims when placing a cyber policy, because the points of tension in cyber policies are often revealed when litigating cyber claims. This article outlines a few examples of claims involving cyber policy provisions that may impact the availability and extent of coverage.
Following an attack
Accuracy in insurance applications
Given the frequency of cybersecurity events, insurers have been engaging in heightened underwriting practices to ensure policyholders are proactively taking measures to prevent breaches before they occur. As part of the application process, policyholders are generally required to provide detailed information about their computer networks and security protocols, and failure to provide accurate information during this process may result in claim denials or attempts to rescind the policy. For instance, in Travelers Property Casualty Company of America v. International Control Services, Inc., 2:22-cv-02145-CSB-EIL (C.D. Ill. July 6, 2022), after the insured fell victim to a ransomware attack, the insurer denied coverage and sought a declaration that the cyber policy was null and void based on allegedly false information the insured provided in its policy application. According to the complaint, the insurer alleged the insured misrepresented its protocols regarding its use of multifactor authentication.
As this case demonstrates, policyholders must manage the cyber insurance application process carefully to ensure they are providing accurate and thorough information. This is typically a team effort, involving the company’s risk management, legal and information technology teams, and requires substantial preparation. Insurers often engage in “post-loss underwriting,” in which they search for potentially defective application responses as a defense to coverage when a loss or claim occurs. The only way to prevent this tactic is to be as accurate and thorough as possible in the application process.
Failure to follow minimum required practices exclusions
In a similar vein, some cyber policies contain an exclusion that bars coverage where an insured fails to maintain minimum security standards. The contours of this exclusion vary, with some policies excluding coverage where an insured fails to comply with “industry standards,” and others excluding coverage for failure to comply with certain specifically enumerated practices. The exact wording of this exclusion may be critical because certain overly broad versions of it arguably provide insurers cause to deny coverage for basically any data breach.
In Columbia Casualty Co. v. Cottage Health System, 2:15-cv-03432 (C.D. Cal. May. 7, 2015), the insurer sought a declaratory judgment that it was not required to provide defense or indemnity coverage to an insured that suffered a data breach and was subject to a class action lawsuit. The class action alleged the insured stored medical records on a system that was fully accessible to the internet but failed to take security measures to protect those medical records from becoming available to people surfing the internet. After the insurer agreed to fund a $4.125 million settlement of the lawsuit under a full reservation of rights, the insurer sought reimbursement of those funds on the ground that a “Failure to Follow Minimum Required Practices” exclusion – which precluded coverage for failure “to continuously implement the procedures and risk controls identified in the Insured’s application” – barred coverage. Among other things, the insurer alleged the insured failed to:
- Replace factory default settings to ensure that its information security systems were securely configured;
- Regularly check and maintain security patches on its systems; and
- Exercise due diligence with respect to its information security management vendor’s safeguards.
Even where policyholders are accurate and thorough in their insurance applications, if a policy contains a “failure to follow minimum required practices” exclusion, there is an opportunity for insurers to engage in the sort of post-loss underwriting that may result in a denial of coverage. The specific wording of this exclusion may have an impact on the ability of insurers to deny coverage.
Notice provisions
A strict notice requirement can be problematic due to the nature of cybersecurity incidents, which may manifest themselves in ways that can be misinterpreted. It is not uncommon for information technology personnel to notice an irregularity or “glitch” and, instead of reporting the issue to risk management or senior management, simply attempt to fix the issue, only to later discover the irregularity was evidence of an attack in progress. Depending on the notice language in a policy, this can cause problems for an insurance claim.
Some cyber policies have a notice provision that requires that a loss be discovered and notified to the insurer before the end of a policy period. If an insured potentially discovers an incident very shortly before the end of a policy period but does not or cannot provide notice until after the end of that policy period, because, for example, it did not appreciate the significance of the irregularity or glitch it discovered or because it did not have processes in place to ensure such incidents are reported immediately, the insured may face a late notice defense by its insurer. The insurer may deny coverage both under the policy in place due to late notice and under a subsequent policy because the event was discovered prior to that policy period, leaving the insured without any coverage.
To avoid these situations, insureds should establish processes to ensure that they report cybersecurity incidents immediately after discovery. Further, when placing cyber policies, insureds should negotiate for liberal notice provisions that allow for the reporting of incidents discovered during the policy after the end of the policy period. These extended reporting periods typically allow for at least an additional 30 days to provide notice after the expiration of the policy period.
First-party coverage provisions
Several key issues often arise in first-party cyber coverage disputes, and the presence or lack of certain policy provisions can significantly affect coverage. Entities seeking to purchase cyber insurance should bear these points in mind.
Prior written consent
It may be difficult to communicate with insurers in the wake of a data breach because insureds are instead dealing with the dire emergency caused by the data breach – or in some cases, may have their email and telephones compromised or lack access to electronic copies of insurance policies. This often leads to insureds retaining necessary vendors (such as counsel and incident response personnel) and incurring significant pre-tender costs, for which insurers may deny coverage based on requirements that the policyholder obtain the insurer’s prior written consent to retain the vendor and/or incur costs. Insureds should seek to have their preferred vendors pre-approved (some policies require that the policyholder select vendors from a “panel,” in which case prior consent may not be required). If possible, policyholders may also negotiate to remove prior written consent requirements or include a grace period during which the policyholder may incur costs without prior approval so that they are able to seek recovery for pre-tender costs.
Legal expenses
The legal expenses incurred after a data breach are often significant, but only a portion of them may be covered. This is because some cyber policies only cover legal costs related to determining notification requirements (although some provide broader coverage). Breach counsel frequently is required to do a lot more work than simply determine and ensure compliance with breach notification laws – for example, they often engage incident response vendors and forensic accountants, and participate in forensic investigations to ensure that the vendors’ communications with the company are cloaked in privilege and protected against disclosure in the event of a third-party claim. Insureds should negotiate for broad coverage of legal expenses so that all necessary legal costs incurred after a data breach are covered.
Bricked hardware
Although cyber policies usually cover damage to digital assets, they often exclude coverage for damage to hardware. Cybersecurity incidents, however, regularly cause hardware to be “bricked,” making it more cost-effective – and faster – to replace the hardware rather than attempting to restore the damaged software or firmware. Insureds should seek to purchase coverage for bricked hardware to avoid being subject to extensive uncovered hardware losses.
Ransomware payments
Insurers sometimes attempt to treat ransomware demands like third-party settlement demands, suggesting that the extortion payment must be reasonable or imposing a requirement that any ransomware payment be less expensive than other alternatives before they will agree to cover it. The problem with this approach is that any ransomware payment is, by definition, unreasonable. Businesses do not willingly pay them; they only do so because they have no choice. Further, in most cases, the business must pay the ransom fairly quickly or else it will be at risk of losing the opportunity, such that it may be impossible to know whether making the payment will be less expensive than other alternatives. Insureds should be hesitant to agree to any provision that makes coverage for ransomware payments contingent on making such a showing.
Authors