I recently came across an excellent article that provides insight on little-known tips that a business owner would want to know when negotiating Cyber Risk coverage. Very few insurance agents who specialize in business insurance have the necessary experience to advise clients on the proper coverage forms to purchase and on potential coverage pitfalls that should be avoided. To achieve the best outcome for a client, almost any Cyber Risk policy form should be specifically negotiated. To follow are the highlights of the article:
- Business Interruption (AKA Business Income) coverage is tempting, but may not be a good deal. Business Interruption insurance pays for lost profits in addition to continuing operating expenses and other extra expenses during the period of restoration to recover from a covered shutdown. However, since most shutdowns and network disruptions are quickly fixed, business interruption will usually never come into play due to the lengthy waiting period before coverage attaches.
- Make sure that you purchase an adequate limit of liability since data breaches can be very expensive due to the average cost per compromised file as well as statutory fines. Additional limits in increments of $1 million are normally very inexpensive; however, the average expense of a compromised client is $194 per electronic record and some states have statutory fines of $1000 in damages for each claimant. Therefore, it does not take that many compromised client files to reach multiple millions of dollars in damages.
- Beware inadequate sublimits for regulatory investigations, notification costs, and other crisis management expenses.
- Most Cyber Liability policies are written on a claims made basis with the retroactive date that is set to the first policy inception date. As a result, any unknown, but prior data breaches would not be covered under such a policy form. Because it can take some time to learn about data breaches, it is advisable to request a prior retroactive date which may be obtained from many carriers for a small additional charge.
- Beware the breach of contract exclusion. This exclusion can come into play arising from a data breach of customer, patient, or business partner confidential information if such contract required the insured to protect the confidentiality of the subject matter of such contracts. Many carriers are willing to modify the breach of contract exclusion to address these situations.
- Many Cyber Risk policies require that the hired experts to be used in the event of a data breach or other triggering incident, whether IT professionals or attorneys, must be on a list approved by the insurance carrier. This can become a problem if the insured wants to use their own IT professional or attorney. The time to make sure that such IT professional or attorney is on the approved list is prior to the binding of coverage.
- Check to see if the capitalize policy includes a provision requiring prior consent before the insured incurs any immediate or rush expenses in response to a coverage triggering event. Some carriers will deny such expenses if they were not approved in advance. It may be prudent to insert a provision that such approval may not be unreasonably withheld.
- Beware policies with an allocation of defense costs provision for the payment of defense costs where such costs will be divided between covered and non covered damages portions. The better policy forms will pay 100% of defense costs even if only a small part of the damages or causes of action are covered.
- Some Cyber Risk policies don’t pay for damages to the extent that the negligence or errors and omissions were due to that of an outsourced third-party vendor. It should be clarified that coverage for the vicarious liability of the insured does exist for claims that arise out of the errors & omissions of vendors, consultants, and subcontractors.
- Some cyber risk policies specify that the deductible or self-insured retention can only be satisfied by out of out-of-pocket expenses paid by the insured. However, whenever a responsible vendor pays for such expenses due to the triggering of an indemnification provision, the insured should be given credit to the extent that such vendor makes payment. In other words, the Cyber Risk policy should dovetail with any indemnification provisions to satisfy the deductible or self-insured retention requirements.
- Attempt to negotiate a partial waiver of subrogation provision to take the place of any regular waiver of subrogation provision. Problems can arise if the Cyber Risk insurer pays a loss and then subrogates against any third parties who are responsible for causing the data breach. For example, a vendor may be responsible for the data breach, but the insureds written contract with such vendor may include a limitation of liabilities provision in favor of the vendor. The cyber risk carrier may consider such a provision to jeopardize its subrogation rights. The solution is to make sure that the policy provision allows for the insured to waive subrogation rights prior to a loss.
Source: How to Negotiate Cyber Insurance; Rene L. Siemens and David Beck; attorneys; Pillsbury Winthrop Shaw Pittman, LLP; Insurance Law Community; LEXIS-NEXIS communities