Views on Corporate Cybersecurity Insurance Options From Thomas H. Bentz Jr. of Holland & Knight LLP

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

Cybersecurity insurance has become an important part of the cyberattack and data breach risk analysis equation for companies.

Bloomberg BNA Privacy & Data Security News Managing Editor Donald G. Aplin posed a series of questions to Thomas H. Bentz Jr., a partner at and director of the D&O and Management Liability Insurance Team at Holland & Knight LLP, in Washington, about cybersecurity insurance offerings and what companies should consider when seeking coverage. Bentz is the author of Holland & Knight's recently released “A Buyer’s Guide to Cyber Liability Insurance Coverage.”

Bloomberg BNA:

With the growth of reported data breaches and cyberattacks, has there been an attendant rise in available types of cybersecurity insurance from competing insurance companies?

Bentz:

Cyber insurance policies are both complicated and rapidly changing. There is no standard policy form, which means that the coverage offered by one insurer may (and often does) differ dramatically from that offered by another insurer. There is little agreement between insurers on what should be covered, when the coverage should be triggered or even how basic terms should be defined. These differences make understanding what is and is not covered very difficult. It also makes it nearly impossible (or at least foolish) to purchase coverage based on price alone. Notwithstanding, a strong cyber liability insurance policy may offer significant protection to companies. In some cases, it may even save a company from financial and reputational ruin.

Cyber liability insurance is a relatively new concept. The first policies did not appear until the late 1990s and there have been constant changes to the forms and the protections offered ever since. Today, there are approximately 30 insurers that offer some type of cyber risk and data privacy coverage. However, the coverage provided varies wildly between different insurers. In addition, the market is in flux with new coverage types and new coverage forms appearing nearly as often as new cyber claims are reported. The latest trend is catastrophic, high limit coverage.

Because there is so much difference in the coverage, it is imperative that insureds understand what coverage they need, what coverage is being offered and what risks they will need to self-insure against even after they purchase coverage. It cannot be stressed enough that comparisons of cyber policies based on price alone are nearly meaningless for this line of coverage.  

Bloomberg BNA:

If a company has good directors and officers, and errors and omissions insurance does it still need to consider cybersecurity insurance?

Bentz:

The answer depends on the risk profile of the company. Cyber insurance can provide several types of protection that are not typically available in either a D&O or E&O policy. For example, a cyber policy can offer: (1) loss containment coverage (to determine how the breach occurred, how to stop it and how to prevent it from occurring again in the future); (2) extortion coverage (to pay a hacker who is attempting to extort money by threatening to release sensitive information or holding a network hostage if a ransom is not paid); (3) notification coverage (to notify customers and others about a cyber event and provide credit monitoring services); (4) regulatory defense and penalties coverage; and (5) business interruption coverage. These coverage grants are typically not available on a D&O or E&O policy.

Cyber policies also often provide other benefits, such as breach coaches, IT assessments, table top exercises and call centers to answer customer questions about a breach. For many companies, access to these benefits and the ability to turn a claim over to an insurer after a breach is as valuable as the coverage grants above because many companies are simply not set up to handle a breach on their own.

Notwithstanding, there is certainly a potential for overlap with other lines of coverage including the D&O and E&O policy forms. The point is that a company needs to understand its risk profile so it can transfer its risks accordingly. Companies that buy an off-the-shelf cyber policy are likely to have coverage grants they do not need as well as potentially duplicative coverage that is needlessly adding to their premium.  

Bloomberg BNA:

Do you agree that having insurance to defend against class litigation in the wake of a data breach may be increasingly important given movement by some courts—including recently the Seventh Circuit in the Neiman case—to seemingly be willing to count potential harms sufficient for standing in such cases?

Bentz:

Yes. Class action litigation is expensive and can have a potentially devastating impact on a company.

Prior to Neiman, courts routinely dismissed data breach claims brought as a class action because the plaintiffs could not demonstrate that they had an imminent risk of suffering a concrete injury simply because their personal data was stolen—the standard set forth in the U.S. Supreme Court’s ruling in Clapper v. Amnesty International. According to the Seventh Circuit’s ruling in Neiman, however, there is an “objectively reasonable likelihood” that an injury such as identify theft or fraudulent charges will follow after a hacker obtains personal information. According to the Seventh Circuit, “[w]hy else would hackers break into a store’s database and steal consumers’ private information?”

Although this ruling is significant from a litigation perspective, it is still too early to know how significant it will be from an insurance perspective. Plaintiffs cannot recover for potential damages even if potential damages are enough to establish a class. Companies that suffer a data breach are already providing credit monitoring and other mitigation services to those that have their information hacked and this is already covered by cyber insurance. Maybe this ruling will result in some additional services or plaintiff fee awards to the plaintiffs’ law firm but it is too soon to know whether it will significantly impact the actual damages resulting from a cyber event.  

Bloomberg BNA:

In terms of liability for a data breach, should companies try to secure coverage that extends to vendors or other third parties it may be working with to handle personal data or is a viable alternative requiring in contracts with the third parties that they protect the data and assume liability?

Bentz:

There are really two different issues / types of claims in this scenario. First is a claim by a plaintiff against a company for damages related to a data breach. Many cyber policies will cover this type of claim regardless of whether the negligence was caused by the company or a vendor hired by the company. To be certain, the company should check the insuring agreement and the definition of “wrongful act” in the policy to make sure that the policy will cover vendor negligence. Companies should be careful about specifically adding vendors to their policies as this can cause many complications in the event of a claim. If a vendor is added, the company should clearly set forth issues such as who has rights to the policy proceeds, when the coverage starts and ends and what happens if the vendor fails to meet any obligations set forth in the policy.

The second type of claim is one by the company against the vendor for its negligence in maintaining the data. This is essentially an errors and omissions claim and the relevant insurance is really just a safeguard against a vendor failing or refusing to honor its indemnification agreement. If the company is using a vendor that can “afford” to indemnify it against any breach, and the company has confidence that the vendor will honor that indemnification obligation, then insurance may not be necessary. If insurance is needed, that type of claim (a claim by the company against its vendor) would likely be covered by the vendor’s E&O policy. The point is, that the company may care more about the vendor’s insurance than its cyber policy in this scenario.  

Bloomberg BNA:

Are there particular exclusions or policy language definitions that are particular to cybersecurity insurance that companies should be on the lookout for when procuring coverage?

Bentz:

Absolutely. Insurers are generally willing to provide several significant improvements to their policy forms if you know what to ask for. Importantly, these improvements often come with no additional premium. The following are just a few examples of why knowing what to ask for can be so important:

  • Many policies only cover cyberattacks or data breaches occurring after the retroactive date (generally the inception date of the coverage). This may leave an insured without coverage for a network security breach that occurred but was undetected before the retroactive date.
  • Be sure that loss caused by insiders/employees is covered. Some policies only cover loss caused by outside hackers.
  • Make sure the coverage does not require “updated” software protections. This may artificially limit coverage for many companies.
  • Make sure that there is coverage for state-sponsored attacks. Many policies will limit coverage by adding an exclusion or limiting definitions.
  • The bodily injury/property damage exclusion should also include a carve back clause for mental anguish, emotional distress and shock caused by a cyber event. Many plaintiffs will allege these types of damages after a breach.
  • The mechanical/electronic failure exclusion needs to be limited so that if a cyber-criminal causes the failure by means of a virus, spam attack, etc., the policy will respond.
  • The Acts of War, Invasion and Insurrection exclusion should not exclude acts of “terrorism.” Almost all cyber breaches could be considered acts of terrorism.
  • Some cyber liability policies exclude coverage for portable electronic devices. The best option is to remove this exclusion. This may only be possible if the insured agrees to encrypt the data contained on the portable devices.

 

One of the most common mistakes when purchasing cyber liability insurance is the failure to involve the relevant parties at the company in the key coverage decisions. For example, the risk manager may be very comfortable with the panel counsel requirement under the policy. However, the general counsel may insist on using a non-panel firm for a particular claim. Using a non-panel firm may jeopardize the coverage or even void it altogether.

This is a common issue for cyber liability policies because cyber liability policies often require the use of a pre-approved breach coach, public relations firm and law firm as a condition for coverage. Many companies are more proactive today in their approach to cyber risk and many have hired experts and legal professionals to assist them with their planning and crisis management needs. This may create significant issues if the company is not allowed to use the preferred expert or professional that it has a pre-existing relationship with simply because that expert or firm is not on the pre-approved panel.

The time to learn about and resolve these potential issues is before the policy is finalized. Insurers are often much more willing to endorse a coach or firm onto a policy at renewal or before the policy is purchased than to provide an exception at the time of the claim. In addition, the company will need to respond promptly to a breach and may not have time to seek an exception to the panel firm requirements after a breach is discovered.