High-profile data breaches like last year’s Equifax hack, which exposed the personal information of more than 147 million consumers and led to class action lawsuits, criminal investigations and increased regulatory scrutiny, serve as a vivid reminder that all companies need to take steps to protect themselves from such disaster. When preparing for and responding to a cyber event and its ensuing fallout, having comprehensive insurance coverage is critical. Cyber liability coverage is usually considered the key responder to a cyber event, but other insurance coverage should be reviewed as part of a comprehensive breach response plan as well. Key personnel responsible for detecting, reporting and responding to cyber events and privacy violations should also be well-versed about what insurance coverage may respond and how to ensure that the company may access it when needed.
Cyber Liability Coverage as First Responder
Cyber liability policies typically cover both first- and third-party losses. First-party losses include the breach response costs a company would pay to notify and communicate with individuals affected by a breach, conduct a forensic analysis, and hire legal counsel and a crisis management team. First-party cyber coverage may also pay for the loss or restoration of digital or network assets, trade secrets, intellectual property and business interruption expenses. Cyber extortion is another first-party coverage that pays the costs to terminate incidents in which criminals hold (or threaten to hold) a company’s network hostage in exchange for a ransom.
Third-party losses covered by cyber policies will generally include the costs to defend and settle litigation and certain regulatory matters arising from an incident or a privacy violation. Claims arising from a breach may include invasion of privacy, emotional distress, economic harm suffered by customers, losses arising out of the publication of stolen data, costs arising from intellectual property infringement, losses relating to Payment Card Industry Data Security Standard compliance and credit card reissuance, and consequential damages such as losses based on hackers’ trading on inside information of publicly traded stocks.
Just as cyberthreats are continually evolving, so are cyber liability policies. Dozens of major domestic and international insurers offer cyber liability insurance, and the terms, conditions and exclusions of these policies may be specialized and vary widely from carrier to carrier. Cyber liability policies are exceptionally complex, so it is important to understand how the company’s cyber liability coverage is triggered and its scope before an incident occurs. Provisions that demand particular attention include:
The Importance of Timely Notice. One common potential pitfall is providing timely notice of claim. Because they include both first- and third-party coverage, cyber policies often contain a mixture of claims-made and discovery-triggered coverage. Claims-made coverage responds when a “claim,” as defined in the policy, is first made against an insured, irrespective of when the underlying incident occurred. Discovery-triggered coverage responds when the insured develops a reasonable belief that a first-party loss potentially covered by the policy may have occurred, even if the nature and extent of the loss are unknown. Notice is generally required as soon as practicable after a claim is made or loss discovered, and policies may require that notice be received during the policy period. In addition to timely notice, some cyber policies may require a sworn proof of loss within 90 to 180 days after discovery of certain first-party losses. It is thus critical that company personnel in a position to detect potentially covered claims or losses have a working understanding of the scope of coverage and how it is triggered so that information is promptly communicated to management responsible for notifying the company’s insurance carriers. Notice should also be given to any excess insurers at the same time as the primary.
Beware Short Retroactive Dates. Newly placed cyber policies may have a short “retroactive date”—usually the date of inception—meaning that the policy may not cover an incident that began before placement of the coverage, even if it was not reasonably possible to detect the existence of the incident. Cyber incidents do not follow a schedule and may go undetected for long periods of time. When placing cyber coverage, it is important to request a retroactive date of at least one year, although not all carriers may offer that enhancement and those that do may require additional underwriting or additional premium.
Accurately Complete Policy Applications. The underwriting process for cyber liability coverage is similarly more complex than other lines of liability insurance. Policy applications may contain dozens of technical questions regarding the company’s networks, the data stored or collected, its electronic defenses, and its privacy and vendor policies. Completing a cyber liability application is a collaborative effort between the company’s risk management, legal, security and network administration personnel. It is critical that policy applications be completed as accurately as possible. A misrepresentation in an application may allow an insurer to deny coverage for a claim or, worse, rescind the policy. In some states, even an unintentional misrepresentation may be grounds to void an insurance policy.
Obtain Consent to Retain Counsel. Most cyber policies place some restriction on the retention of outside counsel and other professionals and vendors in response to an incident. Policies may require obtaining the insurer’s prior written consent before retaining counsel, professionals or vendors, or may require the policyholder to select from pre-approved “panel counsel” or vendors. Failing to obtain the required consent or going “off-panel” may cause the insurer to disclaim coverage for some defense costs. Before a claim occurs, companies should confirm that they may retain their preferred counsel and vendors, and if panel counsel is required, request that preferred counsel and vendors be placed on the list. In the event of a cyber claim or loss, companies should immediately obtain consent to incur defense costs or pay required professionals.
Privilege and Confidentiality Concerns. Communications between policyholders and their insurers may not be privileged and may be discoverable by plaintiffs in class actions.
Handling Large Cyber Claims. First-party losses and defense costs may exceed the primary layer and one or more excess layers of coverage in large cyber claims. It is critical to keep the primary and all excess carriers informed of material developments in the claim so that the excess carriers can immediately respond in the event lower layers are exhausted.
D&O Coverage for Liability Claims
Directors’ and officers’ insurance should cover the defense of and potential liability arising from class actions, shareholder suits, and SEC investigations alleging or involving securities-related misrepresentations, possible insider trading, and breaches of fiduciary duty by the company’s management. Public company D&O policies typically include three insuring agreements: “Side A” coverage for non-indemnifiable claims made against directors and officers; “Side B” coverage that reimburses the company for amounts it pays to directors and officers as indemnification arising from claims made against them; and “entity” coverage for securities claims made directly against the company. D&O policies issued to private companies may cover the entity for a broader range of claims than just securities claims.
Allegations against a board of directors may include failing to ensure that the company has adequate protocols in place to prevent, mitigate or respond to a cyber event. As a practical matter, board preparedness is a frequent issue with public companies. Failure of clear governance makes companies far less secure. Processes, including when companies notify customers of a breach, should be in place before a cyber event as part of the post-breach responsibilities. The risks associated with a company’s failure to have sufficient response processes in place may result in regulatory investigations as well as derivative suits alleging mismanagement. Additionally, the directors of companies operating in the European Union may also face claims of personal liability in the event of a data breach or privacy law violation. Securities and derivative plaintiffs have been largely unsuccessful to date, but the diligence required is evolving, as is the risk. The Equifax data breach may be the case that tests how a D&O policy responds to such situations.
Other Coverages to Consider
After a cyber event, a cyber insurance policy is often the first line of defense. The Equifax breach (as well as other past breaches) and the actions allegedly taken by certain key officers immediately after the incident make it clear, however, that D&O policies may be implicated after a cyber event. Depending on the particular circumstances of an incident, organizations should consider other policies as well.
Comprehensive general liability (CGL) policies also should be reviewed for possible coverage. Cyber events are often predicated upon the violation of a right to privacy. As such, coverage may be available under the “personal and advertising injury” sections of standard CGL policies. These sections generally cover any “oral or written publication that violates a person’s right to privacy.” Some policies, however, do not define the “right to privacy,” thus leaving the coverage subject to courts’ interpretation. The facts underpinning particular cyber incidents and privacy violations also vary widely, and courts have reached seemingly inconsistent conclusions whether CGL policies respond to cyber incidents. In light of this uncertainty and because it does not cover the full range of first- and third-party losses covered under most cyber liability policies, CGL insurance should not be considered a substitute for comprehensive cyber liability insurance coverage.
If the cyber incident is against or a privacy violation is allegedly committed by an organization providing professional services, such as health care provider, consultant or law firm, professional liability errors and omissions (E&O) policies may also be a source of coverage. E&O policies often provide broad coverage for claims based on a “wrongful act” in the performance of (or failure to perform) professional services. If the parties potentially affected by the incident or violation include clients or customers, subsequent litigation may allege that the organization violated a professional responsibility to protect the clients’ or customers’ information or privacy.
E&O policies may vary from industry to industry and insurer to insurer. Companies should review E&O policies carefully to ensure that they will cover the types of professional services performed by the business, and for exclusions that may impact coverage in the event of a cyber incident.
Fiduciary liability insurance (FLI) policies also may be implicated depending on how record-keepers and fiduciaries are addressing cybersecurity issues to ensure the safety of personally identifiable information of employee benefit plan beneficiaries. FLI policies generally cover the liability of plan fiduciaries, settlors and administrators for violations of Employee Retirement Income Security Act (ERISA) and other employee benefits laws. Although ERISA does not expressly state that failing to prevent, adequately respond to, or lessen the impact of a cyber incident or privacy violation constitutes a breach of fiduciary duty, plan beneficiaries may make that argument under ERISA in the event of a cyber incident. FLI policies, like cyber liability, D&O, CGL and E&O policies, generally respond to and cover the defense of meritorious and non-meritorious claims alike.
Overall, companies should take stock of their insurance coverage and educate key responders and decision-makers before a cyber event occurs. After an incident, all lines of insurance could come into play and are therefore best reviewed in advance to maximize potential coverage.