Not all cyber policies are the same and there are certain features and enhancements you need to be aware of. Here are five cyber coverage tips:
#1 Obtain Retroactive Coverage
Many cyber coverage policies are claims-made, meaning they will only cover incidents that occurred during the policy period. Let’s say your cyber policy has an inception date of January 1, 2022. With that, several days later you discover that 3 months prior you started having cyber breaches. The incidents that occurred prior to January 1, 2022, will not be covered under a claims-made policy.
The best scenario to avoid this is to buy coverage extending back 2, 4, 6 or even 10 years. That is, unless you can simply buy an occurrence form and obtain retroactive coverage.
#2 Beware of Panel and Consent Provisions
Many cyber coverage policies require that those used to respond to a cyber claim must be drawn from a preapproved list. If you have consultants, investigators, or attorneys you would like to work with in the event you have to file a claim, ask that they be added to the list.
As James Bobotek, a partner at Pillsbury Winthrop Shaw Pittman in McClean, Virginia, points out, “Cyber policies also often contain provisions stating that the policy holder must obtain the insurer’s consent before incurring any expenses to notify customers of a data breach, conduct forensic investigations, or defend against third-party claims. Insurers sometimes invoke these provisions to deny coverage when emergency costs have been incurred without the insurer’s consent, even if the costs are entirely reasonable and necessary. If prior-consent provisions are included in the policy you are considering and cannot be removed, you should, at a minimum, change them to provide that the insurer’s consent ‘shall not be unreasonably withheld.”
#3 Pay Attention to How Defense Costs Are Allocated
Sometimes lawsuits involve claims covered by a cyber policy as well as claims that are not. What portion of the policy holder’s defense costs will be paid from the cyber coverage policy?
As James Bobotek points out, some policies say that the insurer will pay all defense costs. That is in the case if the lawsuit alleges any claim that is potentially covered.
Others stipulate that the insurer will only pay costs that it unilaterally believes to be covered. Unless or until a different allocation is negotiated, arbitrated, or determined by a court. These issues are less likely to arise under a “duty to defend” policy. That is where the insurer must assume the defense of any third-party claims.
This type of policy typically covers all defense costs as long as any of the claims are potentially covered. However, under a “duty to reimburse” policy, where the insurer agrees to reimburse the policy holder for its defense costs or pay them on its behalf, allocation is more likely to be disputed.
Be sure you understand the allocation method contained in the policy you are considering. Try to negotiate one that is favorable to you.
#4 Be Sure You Have Coverage for Vendor Acts and Omissions
At least a part of an organization’s data may be outsourced to third parties. It’s crucial that your policy cover you for breaches they may cause to protect your business. Most but not all cyber policies cover “vicarious liability” for acts and omissions of vendors, consultants and sub-contractors. Be sure your policy language is not ambiguous about this.
That said, you should also require that vendors and others in whose care you place your data have adequate cyber insurance themselves and name you as an additional insured. Get a certificate of insurance.
Also, your policy should state that when their insurance applies, your insurance should only apply after the vendor’s insurance coverage has been exhausted.
#5 Get a Partial Subrogation Waiver
When you have a loss, your insurer is typically “subrogated” to any claims you may have against third parties. This allows your insurer to recover funds they paid to you by going after your vendors if they were culpable for those losses.
To fortify your insurer’s rights in that respect, your policy may say that you cannot do anything to impair your insurer’s right to subrogation. The problem is that many contracts with data managers state that their liability to you is limited. That can put you in breach of your insurance contract.
The way to fix this problem is to obtain a partial waiver of subrogation for your cyber policy. This will provide that the insurer will not assert that its right of subrogation has been impaired by any contracts you entered with vendors prior to a loss.