Although policyholders may reasonably assume that a cyber-related liability should be covered by a comprehensive, standalone cyberliability insurance policy, recent claims experience and litigation reveal that the actual risks are less easily defined, that no two breaches are the same and that gaps in coverage may remain. Whether a particular policy will cover a specific cyber-related loss may depend on the terms of the policy and how it interacts with other insurance. Companies should take a holistic approach to risk management. The nature of today’s cybertechnology risks means that one insurance policy should not be viewed in isolation and that effective risk management goes beyond the placement of coverage and management of claims. Companies should proactively identify risks and review all policies together to determine where potential gaps in coverage exist (and how to fill them) and determine the company’s obligations in the event of a loss or claim. Key personnel and first responders should be educated in the workings of the company’s insurance programme and how coverage is triggered in the event of a suspected loss or incident. When developing a holistic risk management strategy, below are just a few of the trends developing in the cyberliability arena that companies should consider.
Beware of “Small Dollar” Cyber Events
Ransomware and cyber extortion are growth areas in cyberliability and cybercrime. Ransomware demands, which may be covered by cyberliability insurance, are often below the retention in a typical cyberliability policy. But ransomware typically enters a company’s network in the same manner as other cyber incidents, such as through a phishing e-mail or a sophisticated network intrusion. What if other evidence of an intrusion is later discovered? Cyberliability policies typically have complex notice requirements specifying that incidents be reported during the policy period when the incident was “first discovered” or when it “first occurs.” If a later incident occurs – in particular, if it occurs after a policy is renewed – the insurer may assert a late-notice defence if the ransomware event was known but unreported in an earlier policy period. In addition, cyberliability policies often cover the costs of forensic investigations and other professionals, which the company may wish to retain in response to a ransomware attack.
Cyberliability Risks May Include the Physical
Many industries and emerging technologies straddle the physical and non-physical worlds. For instance, a security breach at an autonomous vehicle (AV) or energy delivery network may cause bodily harm and property damage. The breakdown between physical and non-physical risks calls for close attention to the manner in which the company’s different insurance policies interact with each other in the event of harm spanning the tangible and non-tangible worlds. Insurers have recently introduced specific policies and endorsements intended to bridge this gap, but the coverage is new and should be reviewed carefully in conjunction with existing insurance.
Attention to Vendor Chain Risks, Indemnification and Contractual Risk Transfer
Many companies use third-party vendors to host and process their data, but does the company’s cyberliability coverage respond to a breach occurring at the vendor and involving the company’s data? Many current cyberliability forms extend coverage to computer systems operated and information hosted “on the insured’s behalf” or “for the insured’s benefit,” but may require that a written contract exists between the policyholder and the vendor. Insureds should review any (or consider including) contractual defence and indemnity obligations in their agreements with vendors and require vendors to procure their own cyberliability coverage, with specificity regarding the scope of coverage.
Interconnectivity May Equate to Shared Interruption Risks
With the increasing interconnectedness of systems across the world, an attack on one system may be an attack on yours. One recent example is the October 2016 outages in the USA and Europe caused by a distributed denial of service (DDoS) attack on Dyn, which acted as a switchboard for internet traffic. Although not specifically targeted at the theft of data, the Dyn DDoS attack resulted in significant business interruption losses to major online companies, including Twitter, PayPal and Spotify. Including network business interruption (NBI) coverage as a part of a comprehensive cyberliability may be essential if a company’s operations are at risk.
Mind the Phishing Gap
Cyberliability policies typically do not cover the direct loss of money or property, even if caused by what most people consider to be cyber events, such as phishing scams, which are at a record high. Many companies purchase commercial crime policies or fidelity bonds, which may include coverage for direct losses due to “computer fraud” or “computer crime.” Although these policies may sound like they ought to cover these losses, insurers have argued otherwise, and some courts have agreed. For example, the US Court of Appeals for the Fifth Circuit recently held that a company’s losses resulting from paying USD7 million in fraudulent invoices, which had been submitted to an Apache employee through a phishing scam, were not covered by its commercial crime insurance because the payment was authorised by an employee and the e-mail containing the invoices was merely incidental (ie, indirect) to the loss. In a similar case now before the US Court of Appeals for the Ninth Circuit, Travelers is contesting whether its commercial crime insurance policy covers a USD700,000 wire transfer to a person posing as one of the company’s vendors, after a senior officer responded to a fraudulent e-mail.
Overlapping or Inconsistent Coverage — Check Your Boiler Machinery Policy
Traditional first and third-party policies may include endorsements intended to provide some degree of protection against security and privacy risks, and in many cases one company may have multiple policies containing cyberliability endorsements. These endorsements may not be tailored for a particular company or insurance programme and may contain provisions that are inconsistent or incompatible with the new comprehensive cyberliability policy the company has purchased. For instance, the endorsements may contain restrictive retention or “other insurance” clauses allowing the insurer to refuse payment until other policies are exhausted. They also may require burdensome obligations on the part of the policyholder, such as the submission of sworn proofs of loss for all claims or losses, or allowing the insurer the unfettered right to take sworn testimony of company officers. At the same time, these one-off security and privacy endorsements on traditional liability policies may offer little to no coverage, leaving the policyholder to fight it out with multiple insurance companies and overcomplicating the claims process.
Although comprehensive cyberliability insurance has become widely available and offered by all the major insurers, a company must take critical steps to make sure that the insurance will actually pay when it is needed. Given all the risks discussed here and other potential pitfalls, companies should (i) review and understand proposed and existing policies carefully in advance of claims, and in conjunction with the company’s other insurance coverage, to identify and where possible fix gaps in coverage; and (ii) make insurable risk management a stakeholder in the company’s breach response plan so that the company’s valuable insurance coverage is not “left on the table” in the event of an incident.