In a previous post, we looked at cyber and data breach coverage issues in the context of traditional policies. But what if your current Commercial General Liability (CGL) policy has been found in litigation to provide no coverage or now contains an exclusion for certain, or all, cyber-related liabilities?
You may need a separate cyber-only policy, but how do you know what’s right for your company?
Here are key takeaways from my conversation with Lon Berk, Partner at Hunton & Williams, and Laura Foggan, Partner at Wiley Rein, LLP, who shared what you need to consider when evaluating a cyber-specific policy:
Get coverage that suits your needs
“Cyber” is a very general term; there are varying kinds of cyber exposures. Start by understanding exactly what kinds of risks pose a threat to your organization. Examine your data flows, your infrastructure, and your CGL policy closely. Maybe you already have coverage for privacy invasions, but not for cloud-based services. If you rely on cloud-based services, and your data is hosted outside your company, then that’s an area you need to cover. Consider the risks of third parties handling data for which you’re responsible. And don’t overlook the need for a network disconnection/business interruption policy (many companies do).
“What does cyber coverage mean to you? Be sure you’re getting coverage that reflects your actual risk,” Foggan says. “There is a lot of variation in the policies in the marketplace.” There are both first-party losses and third-party liabilities that need to be covered. And, there is important language in cyber policies defining the scope of coverage for the costs of providing notice of a breach or for liability in class action suits stemming from a breach.
Increasingly common are endorsements to CGL policies or multi-coverage policies including at least one type of cyber coverage. What’s covered under a cyber policy may influence how the exclusions in a CGL are interpreted, even though each is a separate contract. Or, there are instances where specialized coverage doesn’t cover every exposure — so then you would fall back on your CGL. Beware of overlap; don’t just keep adding policies.
Rely on experts
When buying specialized cyber coverage, work with a broker who’s an expert in this emerging area, in consultation with your attorneys and data security specialists.
Act proactively. You should try to have a reliable forensic expert at your disposal for occasions when a breach occurs, as well as an attorney familiar with notice and other obligations. In those situations, response time must be very fast and a very high level of sophistication is needed, so having someone you can turn to can prove hugely beneficial.
Consider any impact on your operations
What could new coverage mean for your operations? Most cyber events are minor, but some policies require that you report every occurrence — no matter how small. Otherwise, when something “big” does happen, you could get into a dispute with your insurer about compliance. When evaluating new coverage, you’ll want to ask: What are your notice obligations? Do you want to be committed to your insurer’s forensic people and attorneys? “Having designated companies specified under the policies can also be a tremendous benefit, but do your due diligence; don’t just let the insurance company pick it for you,” Berk says. After you’ve purchased a policy is not the time to discover that your procedures and processes must be overhauled.
Don’t forget about vendors
Look not only at protection of your own systems, but also the level of protection being provided by your vendors and to those for whom you act as a vendor. Often a vendor is the pathway for a major breach (last year’s Target breach is an example). That creates all kinds of liabilities. Read your vendors’ policies closely, as well as your own. You want to ensure that, up and down the line, vendor issues are addressed in your coverage. Who is doing what — and is in business with whom — are Risk Management 101. That fundamental lesson applies even in this emerging area.
Laura Foggan leads the Insurance Appellate Group as a Partner at Wiley Rein LLP, serving as lead counsel in trial and appellate matters involving complex insurance claims. She has participated in more than 200 insurance coverage appeals nationwide and made significant contributions to the development of key insurance law precedents across the country. A former co-chair of the Insurance Coverage Litigation Committee of the American Bar Association (ABA) Litigation Section, she is praised by Chambers USA as an “acknowledged expert in her field” (2013) with an “encyclopedic knowledge of insurance law” (2014). In addition, Laura counsels insurers on emerging exposures and represents insurers in arbitration and mediation settings. On behalf of both individual insurers and industry trade groups, she advocates for insurers in legislative and regulatory matters.
Lon Berk is a Partner at Hunton & Williams. His practice focuses on counseling and assisting clients with complex insurance recoveries — assisting clients to resolve insurance disputes relating to mass torts, catastrophic events and cyber security issues. He advises clients on liabilities arising out of emerging technologies, including issues concerning internet security, and provides advice regarding insurance covering such exposures. Lon’s experience also includes the trial of cases involving commercial and insurance disputes. He has represented clients in insurance disputes in state and federal, trial and appellate courts nationwide and in international arbitrations.