Cyber Insurance – Understanding the Pitfalls
As more and more companies enter the burgeoning cyber insurance marketplace, they often ask policyholder counsel like me how they can choose the best cyber policy when confronted with so many choices.
When the marketplace was still in its infancy just a few years ago, this was a considerably harder question because the policy forms, including the scope of first party and liability coverages being offered by different insurers, varied so drastically. But as the cyber insurance marketplace enters its adolescent stages, there is beginning to be more standardization in available coverages and exclusions, at least at a high level.
But what has not changed is that many key terms of these policies remain negotiable (considerably more so than for other types of insurance policies), and the courts have been presented with few opportunities to provide guidance on how key provisions in these policies are likely to be interpreted.
Cyber insurance remains a work in progress when it comes to assessing the risks carriers face and providing a clear…
The net result is that prospective policyholders can and should continue to negotiate aggressively in the underwriting process, especially when purchasing cyber coverage for the first time. But what provisions should a prospective policyholder be most concerned about? The answer depends largely on the most prevalent risks faced by individual companies, which are unique to them.
However, there are some provisions common to many cyber policies that, in my view, present risk to all policyholders due to imprecise or inappropriately restrictive coverage language. Because these provisions are almost certain to be the basis of numerous denials of coverage, they are likely to be tested in litigation in the next few years and deserve particular focus by prospective policyholders. Some of these looming battleground provisions include:
Most cyber policies are subject to a specified retrospective date, which means that liability claims, such as data breaches, arising from events occurring prior to that date are not covered. Often, the insurer will set the retrospective date at the inception date of the first policy the insurer issues to a particular insured. This can be a significant problem, especially for first-time insureds, due to the close temporal proximity between the retroactive date and any potential claims.
To make matters worse, many cyber policies contain language purporting to relate all causative events back in time to the date of the initial causative event. In many cases, this problem will begin to alleviate itself over time if the policyholder renews its cyber policy with the same insurer (i.e., the retroactive date will remain fixed at the initial inception date as successive policies are issued). That said, I still see more cyber claims denied on this ground than any other.
Some cyber insurers will agree to backdate applicable retroactive dates for prospective policyholders and some will not. Particularly with respect to the latter, significant factual disputes regarding the specific events precipitating an otherwise covered claim are entirely foreseeable. The complex technical aspects of data networks and the inherent uncertainties regarding the genesis of many breaches are likely to exacerbate these disputes even further.
Unauthorized access to computer systems
Many cyber policies provide coverage only where access to the insured’s computer system is “unauthorized.” Some insurers will argue that this precludes coverage where an employee negligently provides access (such as losing his or her password) or is tricked into providing access (such as in a spear phishing attack).
Some insurers have sought to clarify the scope of “unauthorized access” by defining that term in their policies, but others have not. Like many cyber policy provisions, the scope of this definition may be negotiable, and any ambiguities should be resolved in favor of the policyholder under general principles of insurance policy interpretation. But given the ever-increasing frequency of cyber fraud and the ever-increasing ingenuity of cyber fraudsters, the extent to which there is coverage under cyberpolicies for unintentional but arguably authorized access to computer systems is likely to be disputed vigorously.
War and terrorism exclusions
Many cyber policies exclude loss arising from acts of war and terrorism, and define those terms broadly. Because these exclusions are carryovers from older types of liability policies, they often are overlooked as mere boilerplate for companies whose operations are largely domestic. But the danger of these exclusions in the cyber context, if not worded appropriately, is that they potentially preclude coverage for cyber attacks initiated by individuals or entities in foreign countries, where many of the most serious attacks originate.
I have seen a number of these exclusions in which the insurer could make a reasonable argument that a state-sponsored attack by a foreign government (e.g., the North Korean attack on Sony), or even loosely affiliated groups or individuals with a particular political or social agenda, fall within the scope of the exclusion. Because cyber attacks by foreign entities are now so ubiquitous, this should be a serious concern for policyholders, not just an academic discussion.
Some insurers are now willing to negotiate a more appropriate scope of these exclusions (e.g., carving “cyberterrorism” out of the exclusion). But for insurers that refuse to negotiate this language, the extent to which attacks originating abroad constitute acts of war or terrorism is likely to be a hotly disputed issue.
Exclusions for generalized acts or omissions
Some cyber policies exclude coverage where the insured fails to follow “minimum required security practices,” employ “best security practices,” or comply with its own security policy. In my view, these exclusions are inappropriately overbroad and lend themselves to subjective application.
Even though these exclusions are becoming far less common in cyber policies (probably due to marketplace pressures to remove them), they still persist in some cyber policy forms. In fact, one of the few coverage lawsuits filed to date involving coverage under a cyber policy was focused on precisely this issue (although it was dismissed on other grounds). As long as these exclusions persist, their inherent ambiguity and uncertain application are likely to make them the subject of considerable dispute.