Which incidents and losses trigger coverage?
Ultimately, coverage should depend on the business needs of a policyholder. Thus, a key question is what the policy actually covers. Not all policyholders are created equally, and cyber liability policy forms also can vary significantly in scope.
When seeking to place cyber liability coverage, it is important to understand the scope of the coverage provided by the proposed policy. Most cyber liability policy forms include first-party coverage and third-party coverage. The first-party coverage responds to losses directly borne by the business, and generally includes coverage for (among other things) the costs of responding to and investigating a data or privacy breach, certain legal fees, cyber extortion (including ransomware) response costs, payments data restoration and business income loss. The scope of coverage for first-party losses can vary greatly from policy to policy. Third-party coverage responds to liability claims asserted against the company associated with a cyber liability incident, including investigations and actions by a governmental agency or a regulator. Companies seeking to place or renew cyber liability insurance should consult counsel to evaluate the sufficiency of the coverage and whether changes should be made to the policy (if feasible) or whether other options exist in the market.
Whose errors or breaches will the policy cover?
Cyber liability insurance typically covers malicious attacks committed by a third party. However, cyber liability risks also can arise from internal threats, such as intentional conduct by employees or other insiders, as well as unintentional errors or omissions. A policyholder should understand how the cyber liability policy responds to criminal or malicious acts by an external party and to employee activity (including acts by rogue employees) or errors or omissions committed by the company. In the event of malicious acts committed by employees, policyholders should determine whether those acts will be imputed to the company or other employees. A policyholder should also understand whether the policy will cover a vendor’s error – especially if the policyholder’s business tends to outsource sensitive information.
Which incidents and subject matter are specifically excluded?
There are a number of incidents and types of conduct that tend to be excluded from standard cyber liability insurance policies. For example, a cyber liability policy likely won’t cover the loss of intellectual property or the direct loss of money or property. Most policy forms exclude coverage for physical bodily injury or tangible property damage stemming from a cyberattack ‒ although coverage for “bricking” or computer hardware replacement costs is becoming more common ‒ and for businesses for which a cyberattack may result in liability for physical injury or damage to tangible property. Cyber liability policies will also typically include a “hostile act” or war exclusion, which may exclude coverage for losses resulting from a war or warlike event (depending on the language of the exclusion). A policyholder should review all exclusions and other coverage limitations in the policy to fully understand the scope of coverage, and, if feasible, seek to negotiate endorsements that may be needed for the business.
What are the policyholder’s obligations under the policy?
Should an incident potentially triggering coverage occur, policyholders need to understand the steps they must take or the obligations they have to the insurer. Many policy forms require the insured to file a report of the incident to law enforcement. Some policies also have consent provisions, which require the insured to obtain prior consent from the insurer before incurring costs to respond to a cyberattack. Understanding these obligations is crucial for policyholders when they are reacting to an emergency situation.
Further, the policyholder will need to know when notice is required and what information is needed to properly report incidents. Many cyberattacks are highly sophisticated, and attackers can be adept at covering their tracks. It may take anywhere from a few days to more than a year (in some extreme cases) to discover that an intrusion has occurred. Based on this potential lag time, a policyholder must understand the reporting requirements of its policy, whether incidents or claims may be reported after a policy expires and whether late reporting may result in lost coverage. Moreover, for newly placed coverage, it is important to understand whether the policy contains a retroactive date potentially restricting coverage for incidents that occur but are not discovered before the policy incepts.
Does the insurer have policy forms that are tailored to specific industries?
As discussed above, the scope of cyber liability insurance coverage can vary greatly from policy form to policy form. Before negotiating a policy with an insurer, a business should ask whether the insurer has policy forms specific to the company’s industry. For instance, industrial or energy businesses that face risks of bodily injury or tangible property damage due to a cyberattack may seek policy forms or endorsements narrowing the scope of any bodily injury or property damage exclusions.
Is the policy broad enough to capture emerging risks?
Technology is constantly changing, as are the risks associated with it. While shopping for coverage, a company should ask whether the policy will apply to unknown risks.
Are there regional restrictions?
Some policies may cover only incidents that occur in the United States or in other specified jurisdictions. A policyholder should understand the regional limitations of the policy and whether the policy adequately covers territorial risks faced by the business.
What are the policy limits?
Cyber liability policies are usually written as “claims-made” for third-party coverage and “discovery-triggered” for first-party coverage. A policyholder should determine what limits apply to these types of coverage. For example, a policyholder can ask whether some insuring agreements are subject to sublimits of liability or have co-insurance requirements.
How does the cyber liability policy interface with other policies?
Cyber liability insurance should be part of a comprehensive incident response plan. Policyholders should understand how a cyber liability policy may interact or overlap (or not overlap) with other insurance policies. For instance, the business interruption coverage in some first-party property policies may respond to losses caused by a cyberattack or other non-physical events. In addition, policies may have competing “other insurance” clauses affecting whether those policies “go first” in the event of an incident triggering coverage under more than one policy. Companies should consult counsel to help identify potential overlaps or gaps between the policies.