Read time: 7 minutes
Cyber risks – which include ransomware attacks, data theft, phishing emails with embedded malware, cyber extortion, identity theft, social engineering attacks and data breaches – are causing increasing concern for companies small and large across all industries.
Preparing for an attack
According to the Cost of a Data Breach 2022 Report by IBM/Ponemon Institute, the global average cost of a data breach in 2022 was $4.35 million. Breaches in the health care industry were the costliest at $10.1 million on average, and breaches in the U.S. were the most expensive at $9.44 million. These attacks (and the potentially severe costs of responding to and remedying them) can spark ripple effects on a company’s financial viability and reputation.
Civil litigation arising from cyber risks is also growingly common. In addition to litigation filed by consumers and other parties affected by an attack, in October 2021, the U.S. Department of Justice announced a new Civil Cyber Fraud Initiative (CCFI). The CCFI uses the False Claims Act to hold federal contractors and grantees accountable for knowingly furnishing deficient cybersecurity products/services, misrepresenting cybersecurity practices, or knowingly violating obligations to report cybersecurity incidents.
In light of this increased scrutiny and exposure to risk, businesses have to do more up front to mitigate or prevent loss. One place to start is by procuring cyber insurance and negotiating favorable terms. To that end, we offer these 10 best practices.
Your guide to mitigating cyber risks and maximizing insurance recovery
1. Complete the application carefully and accurately
Cyber insurance applications can be highly technical and lengthy. Moreover, one of the first places insurers look when presented with a cyber claim is the insurance application to see if the claim indicates any potentially inaccurate representations. Accordingly, for every placement or renewal, it is important for policyholders to engage in – as far in advance as possible – a thorough review of the application with their risk management, legal, security and information technology teams. Companies should also consult trusted brokers and coverage counsel to help guide the process in order to avoid later issues concerning the content or accuracy of the application. Policyholders should remember, however, that communications with insurance brokers may not be privileged.
2. Keep your unique business in mind
Cyber insurance policy forms are not standardized: They vary depending on the particular insurer and the industry served. Unlike with some other types of insurance, there may be material differences in insuring agreements, definitions, terms, exclusions and overall structure. Thus, policyholders should carefully evaluate and compare the policy forms when purchasing or renewing coverage and seek to tailor their insurance coverage to address any unique needs and potential exposures.
3. Negotiate flexible notice requirements and extended reporting periods
Regardless of your industry, one way to maximize insurance recovery under your cyber policy is to seek favorable notice requirements. Most cyber policies provide first-party coverage for certain costs and losses incurred directly by the policyholder as a result of cyber incidents, as well as third-party liability coverage for claims made against the policyholder. First-party cyber coverage is typically triggered by incidents first discovered during the policy period, and third-party liability coverage is usually written on a claims-made basis, providing coverage only for claims first made during the policy period.
Some cyber policies require the policyholder to provide notice to the insurer as soon as possible after becoming aware of any claim against them, but before the end of the policy period. That requirement can be problematic and difficult to comply with in the event that a loss is discovered or a claim is made very close to the end of the policy period. To help avoid coverage fights based on notice, check if the policy provides extra time to report losses or claims after the policy expires. If not, policyholders should negotiate such a provision to avoid any gaps in coverage.
4. If possible, make it retroactive
As mentioned above, first-party coverage in cyber policies generally contains a discovery trigger, and third-party coverage is generally claims-made. But incidents may be discovered or claims first made well after the underlying problem actually occurs. To maximize coverage, where possible, policyholders should negotiate for favorable retroactive dates to ensure that a cyber policy covers losses arising from undiscovered breaches or claims involving alleged wrongful conduct that occurred prior to the policy’s inception.
5. Ensure you have investigation coverage
Particularly given the rise in civil litigation, it is important for policyholders to ensure that their cyber policies include coverage for governmental or regulatory investigations and actions, including informal investigations, civil investigative demands or subpoenas, legal fees incurred to respond to those investigations or subpoenas or defend against an adversary action, as well as regulatory fines and penalties and consumer redress funds. Further, because coverage for certain fines and penalties may be restricted in some jurisdictions, coverage for regulatory fines and penalties should be as broad as allowed under applicable law.
6. Check if punitive or multiplied damages, civil penalties and plaintiff attorneys’ fees are covered
Policyholders should review the definition of “loss” or “damages” (or any equivalent term in the policy) to ensure that there is express coverage for awards of punitive or multiplied damages, civil fines and penalties, and plaintiff attorneys’ fees. To further maximize coverage, policyholders should negotiate a “most favorable jurisdiction” clause that expressly states that punitive or multiplied damages and civil fines and penalties will be covered where insurable by the applicable law which most favors coverage. Potentially applicable law may include the jurisdictions where the policyholder is organized and/or located; where the insurer is located; where the underlying claim is proceeding; or where the loss occurred.
7. Review the conduct exclusion
Conduct exclusions are common in cyber policies and generally preclude coverage for claims arising out of dishonest, fraudulent or criminal conduct, or the willful or deliberate violation of the law. Policyholders should seek to narrow the scope of this exclusion by requiring that there first be a final, non-appealable adjudication in the underlying action establishing that an insured committed the excluded conduct before the insurer may apply the exclusion. This requirement should preserve coverage unless and until there is a final adjudication against the insured in the underlying action (as opposed to, say, allegations in a complaint or an insurer’s declaratory relief action).
Policyholders should also try to preserve coverage for reimbursement of defense costs prior to a final non-appealable adjudication on the merits. Last, policyholders should seek a severability requirement so that an adverse final adjudication against one insured will not automatically bar coverage for all other insureds. The severability provision should also include language providing that only excluded conduct committed by the CEO and CFO may be imputed to the company itself.
8. Ensure adequate limits of liability
Policyholders should work with their brokers to ensure their cyber insurance programs provide adequate coverage limits (or an adequate amount of coverage). Given that policyholders rely on cyber insurance to cover first-party losses associated with cyberattacks as well as any third-party liability arising from these attacks, coverage limits can exhaust quickly. Policyholders should carefully analyze their own risks to determine the coverage limits that best address their organization’s exposure to both forms of liability.
9. Take immediate action
For those who believe they have already experienced an adverse cyber event, act fast. Provide prompt notice, preserve records, contact affected third parties and reasonably mitigate exposure where possible. Even where uncertain as to whether the cyber event implicates coverage under the policy, provide notice anyways to avoid any potential waiver based on a policy’s notice provision.
10. Do not overlook your CGL, D&O, E&O, crime, K&R and property policies
If your company is exposed to a cyber risk, consider and review your entire insurance portfolio for potential coverage. Other policies in your insurance portfolio – for example, commercial general liability (CGL), directors and officers (D&O), errors and omissions (E&O), crime, kidnap and ransom (K&R), or property coverage – may respond to certain cyber risks.