Cyber insurance is specifically designed to address losses resulting from problems with networks and computer systems. Insurers, however, have taken steps to limit coverage for such losses under more traditional policy forms. Here are 10 tips to consider when purchasing and/or reviewing your cyber insurance to ensure you’re getting the coverage that best suits your needs.

Tip #1 – Know What Is Available

Cyber insurance policies are not standardized and policy forms available in the market vary significantly. Most cyber policies provide both first-party coverage (for loss of or damage to the policyholder’s own property as well as lost revenue) and third-party coverage (for the policyholder’s liability to third parties), but the scope of coverage can differ widely from policy to policy. Common first-party coverages include data breach response costs, business interruption costs resulting from network failures, data breaches and ransomware attacks. Common third-party coverages include defense and indemnification for claims customers bring for lost or misused data, the costs of responding to regulatory investigations, and indemnification for regulatory fines or penalties.

Tip #2 – “Loss” of Data vs. “Misuse” of Data

Following a data breach, a business may face claims from customers or clients whose data was lost or stolen. Many cyber insurance policies only cover such claims when the stolen data was subsequently “misused” by a third party who came to possess the data. However, businesses are increasingly facing class action lawsuits based on the mere exposure of data in a breach, with no claim that the data was misused. There may be no coverage for such a claim under a policy that requires the “misuse” – and not the mere “loss” – of data. To avoid this gap in coverage, be sure that your policy language covers third-party claims for data loss.

Tip #3 – Regulatory Investigations

Data breaches frequently lead to investigations by regulatory agencies, which can lead to fines or penalties for a breached company that failed to comply with applicable privacy laws. Many cyber insurance policies provide reimbursement for these regulatory penalties or fines. However, the cost of responding to regulatory investigations – including necessary counsel or vendor fees – is frequently not covered. Companies at risk for regulatory investigations should be sure their policy covers the legal fees and other costs associated with responding to those investigations.

Tip #4 – Retroactive Date

Cyber policies typically exclude losses arising from a breach or event that occurred before a specific “retroactive date,” which is often the original inception date (purchase date) of the coverage. Unfortunately, data breaches can go undetected for a long time. A data breach that is unknown at the inception of a cyber insurance policy can cause significant losses during the policy period but will not be covered if the breach occurred before the policy’s retroactive date. If purchasing coverage for the first time, businesses should negotiate for the earliest retroactive date possible. When reviewing existing coverage, businesses should identify the retroactive date and determine if negotiating for an earlier date is warranted.

Tip #5 – What Are You Promising To Do?

Cyber insurers often require the policyholder to complete an application for coverage to attest to the adequacy of its existing network security protocols or to agree that it will comply with certain standards during the policy period. As such, policyholders must be certain that any representations of existing procedures are completely accurate, and that there are policies in place to ensure compliance with actions it has agreed to take in the future. If a cyber incident occurs and the insurer finds that the policyholder failed to comply with its representations and warranties, then coverage may be denied.

Tip #7 – “Network” Definition

Whether a breach or network failure is covered may depend on a cyber insurance policy’s definition of “network”. Policyholders should make sure that the term is defined broadly enough to cover their specific operations. For example, if the network can be accessed by mobile devices or by third-party vendors, that should be reflected in the definition.

Tip #8 – Coverage for Vendor and Rogue Employee

Although data breaches are often caused by rogue employees or vendors with access to a company’s network or systems, not all cyber insurance policies cover breaches by employees or vendors. Policyholders with this exposure should review their cyber policy to make sure it includes coverage for these types of incidents.

Tip #9 – Business Interruption: Who Picks The Adjuster?

Cyber policies frequently cover business interruption losses from a network or security incident. These losses are typically calculated by an adjuster that is appointed by the insurer. Policyholders should review their coverage to determine what, if any, provisions apply to resolve disputes over loss calculations should they arise.

Tip #10 – Business Interruption: Third-Party Network Failures

A company’s business operations can be significantly disrupted by a denial-of-service (DoS) attack on a third party’s server. For example, a DoS attack on a third-party DNS server can shut down traffic to many other businesses’ sites. Some cyber policies only provide business interruption coverage for attacks on the company’s own network. If the company relies on third-party servers or networks, then they should ensure that their cyber policy extends to losses resulting from these types of failures.

For more information on how these 10 Tips relate to your specific cyber liability exposures, please contact your Sequoia Risk Advisor, or connect with them directly in HRX.

Disclaimer: This content is intended for informational purposes only and should not be construed as legal, medical or tax advice. It provides general information and is not intended to encompass all compliance and legal obligations that may be applicable. This information and any questions as to your specific circumstances should be reviewed with your respective legal counsel and/or tax advisor as we do not provide legal or tax advice. Please note that this information may be subject to change based on legislative changes. © 2020 Sequoia Benefits & Insurance Services, LLC. All Rights Reserved

Mary Beth Downs – Mary Beth Downs is a Senior Risk Advisor for Sequoia, providing property and casualty consulting services to our clients helping them protect assets, scale in the marketplace, and manage risk. As a Bay Area resident for the past 27 years, she enjoys volunteering in her local community and traveling within the state as much as possible.