As an independent risk management and insurance consulting firm that advised insureds on a fee only basis, we see and evaluate a lot of insurance policies. Most have standard forms, however, in certain areas of our practice, there are no standardized forms. One such area where we see players claiming they have major league policies that sometimes we find offer bush league coverage is cyber insurance. This short article for Agency Checklists adopted from our blog points out some examples that you may wish to consider if you deal with cyber insurance as an agent, broker, insurer, or insured.
Gaps Remain Even Now
Cyber insurance has been in the market for quite a few years now. When an insurance product has been around long enough it eventually becomes standardized. Not so, yet, in the cyber market, so care is needed.
Even to this day gaps abound. Below are a couple of examples from policies proposed by brokers or insurers that we have seen so far in 2019, that we found wanting.
Cloud Applications Not Recognized
In a recent proposed policy, the term “Security Failure” was defined to include breaches of “the insured organization’s computer system.” The policy had no further definition of what the term “computer system” meant. In response to our request for the policy broadening or defining the scope of the term by endorsement, the broker wanted us to accept that the meaning was the “computer system and everything connected to it.”
We understand that courts dealing with ambiguous terms will construe them in favor of the insured. However, in negotiating insurance language for an insured, we do not want to hope a friendly court agrees with the broadest possible interpretation of a disputed term. Rather our goal is to provide clarity and certainty that benefits both the insured and the carrier. We look for language that is available in the market that defines the terms “computer system and/or network” in a manner broad enough to define the client’s insured operations with minimal ambiguity. One example of a definition we have used is below:
Lack of Clear Coverage for an Insider’s Fraud or Hack
Insider exploits may not be frequent, but they can be the most severe of all cyber losses. Disgruntled employees, with an insider’s keys and access, have, in some instances, caused the near destruction of their employers’ computer systems and data bases.
In our practice, we strive to secure coverage for these rare but destructive actions. However, we find that some policies offered to our clients are woefully deficient in fully covering this risk. An example of this deficiency was the language of a proposed policy that provided insider coverage except for actions by “senior executives.” Instead of the narrow definition we prefer, this proposed policy’s definition broadly defined a senior executive as follows:
As you can see this definition goes on and on, including some of the positions we would be most concerned about like “chief information security officer.” To totally ensure no claim would survive this same policy also specifically excluded claims related to “employment practices” excluding from coverage any claim “directly or indirectly arising from”:
In our opinion, a good cyber policy should only exclude persons who realistically qualify as key top management and should not exclude employment practices
No Coverage for Data Breach of Third-Party Corporate Data
In one proposed policy we troubleshooted, there was coverage for personal data but not corporate data.
A data breach can result in liability for exposing another party’s confidential information. These other parties can be employees or other persons, or they can be companies with whom an insured does business.
In one cyber policy we reviewed, the policy provided coverage for a
“Data Breach,” but a data breach was defined as breach that exposes “personally identifiable information” (PII) defined as follows:
This policy, as written, provided our client, no coverage for a data breach involving business data.
In our opinion, what insureds need in a good cyber policy is coverage that for a data breach to include both PII and business-related data such as was defined as Third Party Information in the policy we recommend to our client where third-party information had the following definition:
Watch out for the curve ball
Notwithstanding the above examples, cyber policies are becoming more standardized and, therefore, clearer in the coverages and exclusions. However, we continue to see policies that are not ready for the big league. Anyone dealing with placing cyber policies should keep in mind that there are policies in the marketplace cobbled together by amateurs, who can and do commit major league coverage errors.
About LicataRisk Advisors
LicataRisk Advisors is an independent risk management and insurance consulting firm. We are not brokers, and we do not sell insurance. We are not connected to any insurance company or product in any way and do not receive commissions. This is an important difference as you will have an expert on your side who is only committed to you.
Licata Risk is not a law firm and does not practice law. General advice and contract input by the consultants, including those who are attorneys, is to provide insight into the risk and insurance aspects. Your attorney should be the final authority on any legal matter.