To avoid potential coverage gaps and disputes, brokers and carriers should work closely with clients to identify their unique risks, tailor coverage to address them, and make sure their insureds know exactly what is and isn’t covered.
That might seem obvious, but a recent survey of C-suite executives by my firm, Fox Rothschild LLP, exposed that the coverage provided under cyber liability policies remains poorly understood.
Fully 70% of executives surveyed for the report, “Cyber Threats: Measuring Awareness, Assessing Preparation,” said their companies carried cyber liability insurance, but only 21% had ever filed a claim.
One survey participant learned the limitations of his company’s policy the hard way when his first-ever cyber insurance claim was denied. “When we got the policy, we talked to underwriters, we went through a broker,” the tech executive explained. “Our claim was rejected, and we’re fighting them over that. We’re using this as a test case of our broker.”
Why the lack of clarity?
On the market for nearly two decades, cyber insurance is still relatively new compared to general commercial liability and other business policies. Companies lack claim filing experience, and many brokers lack deep expertise. Products also vary widely, making comparisons problematic. Our survey recorded one software firm’s general counsel as saying his company filed a claim on a relatively minor breach just to test its policy. “It’s unknown territory,” he said.
The survey showed that about half the companies with cybersecurity insurance had purchased some form of off-the-shelf coverage, or standard coverage with a few changes to cover unique aspects of their business.
The other half worked with a broker, consultant or legal counsel to obtain a custom-designed policy.
That more tailored approach helps avoid common coverage problems that arise when companies and their brokers fail to closely examine the bounds and limits of their cyber liability coverage.
Here are a few problem areas that often result in coverage disputes with an underwriter and can lead to litigation:
Misunderstanding first- vs. third-party limits
Insureds often think of liability limits in terms of third-party losses, the insurance provided to defend and indemnify a business against claims by customers, patients, employees or other data breach victims.
Often, however, direct breach response costs such as notifying affected individuals, providing credit monitoring, conducting forensic investigations and engaging a crisis management firm comprise a large share of a cyber-liability claim. Despite this, standard insurance policies may sublimit such first party costs at woefully inadequate levels. A cyber policy with an overall aggregate limit of $2 million may limit crisis management and public relations expenses to $100,000. Agents should work with clients to get a realistic estimate of their direct breach response costs, considering the type, quantity and sensitivity of records stored, to set adequate first party sublimits.
Insufficient coverage for PCI fines
Most cyber insurance policies provide coverage for breach-related fines imposed by the state or federal government. For a merchant relying on credit card transactions, Payment Card Industry (PCI) compliance fines (or assessments) can be more devastating, and are often subject to lower sublimits or completely excluded. If a business fails to timely pay the assessment, credit card brands such as MasterCard can terminate their right to process credit cards, a potentially crippling blow to their business. Many pay up, preferring to battle their insurance carriers over coverage. Retailers and restaurants with point-of-sale systems processing large numbers of credit card transactions are particularly vulnerable, so brokers must make sure their coverage addresses this risk exposure.
Exclusions for social engineering attacks
Cyber liability insurance generally covers breaches caused by hackers breaking in and stealing sensitive data. “Social Engineering Fraud” also is becoming more pervasive. These schemes deceive victims (typically company employees) into voluntarily transferring funds or divulging confidential information.
Many companies incorrectly assume these types of losses are covered under a standard cyber liability policy or crime policy. However, most crime and cyber policies require a computer hack or active invasion of a computer system by a criminal to trigger coverage. This is becoming a huge coverage gap for businesses, as insurance carriers are denying these claims and winning coverage disputes. Agents should inform insureds of this gap and work with insurance carriers to obtain endorsements to either a company’s crime and/or cyber policy for social engineering theft losses. The coverage under the endorsement is often sub-limited and may have a higher deductible but it is better than no coverage at all.
Unclear ‘minimum required practices’ conditions
As demand for cyber insurance grows, more insurers are closely scrutinizing clients’ data security policies and procedures when setting rates and determining coverage. The nebulous phrase “minimum required practices” has increasingly become a flashpoint for coverage disputes and litigation. Insurers are citing the term to deny coverage in some cases, saying insureds took inadequate precautions. Close cooperation between broker, carrier and client can ensure such provisions are excised, or narrowly drawn to remove ambiguity. Increasingly, underwriters are requiring clients to have adequate internal preventive measures in place before issuing coverage. Companies looking to reduce insurance costs and lower risk should implement a complete risk management plan that includes policies, procedures and employee training designed to prevent breaches.
Coverage for GDPR risk exposures
One of the biggest current questions is how carriers will address increased claim exposure under the European Union’s General Data Protection Regulation (GDPR). Most policies include coverage for violations of international privacy laws, however, GDPR has a wide range of mandates and steep fines for violations. Some violations may be covered while others may not. Companies subject to GDPR should discuss this issue with their brokers now.
My experience with my clients reflects the findings of our survey. Many have cyber coverage, but aren’t completely sure what it covers. That creates a problem in an actual data breach, especially if a claim is rejected or partially covered. Companies tend to blame their brokers, expecting them to know their businesses well enough to make sure they have adequate coverage.
To avoid damaging client relationships, brokers should get to know their customers’ cybersecurity risks, and work with carriers to design expansive cyber liability policies that provide complete coverage. They should also ensure the policyholder has a clear understanding of their coverage. That way, if there is a data breach and they are responding to it with their client, they have a satisfied customer and can fully advocate for their client’s business.