Things to consider before you purchase your policy
I recently came across an excellent article that provides insight for business owners on little-known tips for negotiating Cyber Risk coverage. Very few insurance agents who specialize in business insurance have the necessary experience to advise clients on proper coverage or potential coverage pitfalls to avoid. To achieve the best outcome for a client, almost any Cyber Risk policy form should be specifically negotiated. Below are the 11 tips highlighted in the article:
- Business Interruption (or Business Income) coverage is tempting, but may not be a good deal. Business Interruption insurance pays for lost profits in addition to continuing operating expenses and other extra expenses during the period of restoration to recover from a covered shutdown. However, since most shutdowns and network disruptions are quickly fixed, business interruption will usually never come into play because of the lengthy waiting period before coverage kicks in.
- Make sure to purchase an adequate limit of liability since recovering from data breaches can be very expensive. Additional limits in increments of $1 million are normally very inexpensive. However, the average expense of a compromised client is $194 per electronic record, and some states have statutory fines of $1000 in damages for each claimant. Therefore, it does not take that many compromised client files to reach multiple millions of dollars in damages.
- Beware of inadequate sublimits for regulatory investigations, notification costs, and other crisis management expenses.
- Most Cyber Liability policies are written on a claims-made basis with the retroactive date that is set to the first policy inception date. As a result, any data breaches you’re unaware of would not be covered under such a policy form. Because it can take some time to learn about data breaches, it’is advisable to request a prior retroactive date which may be obtained from many carriers for a small additional charge.
- Beware the breach of contract exclusion. This exclusion can come into play from a confidential data breach of a customer, patient, or business partner if a contract required the insured to protect such data. Many carriers are willing to modify the breach of contract exclusion to address these situations.
- Many Cyber Risk policies require that IT experts or attorneys hired in the event of a data breach or other triggering incident must be on a list approved by the insurance carrier. This can become a problem if the insured wants to use their own IT professional or attorney. The time to make sure that your choice of IT professional or attorney is on the approved list is before coverage kicks in.
- Check to see if the capitalize policy includes a provision requiring prior consent before the insured incurs any immediate or rush expenses in response to a coverage-triggering event. Some carriers will deny such expenses if they’re not pre-approved. It may be prudent to insert a provision that such approval may not be unreasonably withheld.
- Beware of policies with an allocation of defense costs provision where such costs will be divided between covered and non-covered damages. The better policy forms will pay 100 percent of defense costs, even if only a small part of the damages or causes of action are covered.
- Some Cyber Risk policies don’t pay for damages when the negligence or errors and omissions were due to an outsourced third-party vendor.
- Some Cyber Risk policies specify that the deductible or self-insured retention can only be satisfied by and out-of-pocket expenses paid by the insured. However, whenever a responsible vendor pays for such expenses due to the triggering of an indemnification provision, the insured should be given credit to the extent that such vendor makes payment. In other words, the Cyber Risk policy should dovetail with any indemnification provisions to satisfy the deductible or self-insured retention requirements.
- Attempt to negotiate a partial waiver of any subrogation provision to take the place of any regular waiver of subrogation provision. Problems can arise if the Cyber Risk insurer pays a loss and then subrogates against any third parties who are responsible for causing the data breach. For example, a vendor may be responsible for the data breach, but the insured’s written contract with such vendor may include a limitation of liabilities provision in favor of the vendor. The Cyber Risk carrier may consider such a provision to jeopardize its subrogation rights. The solution is to make sure that the policy provision allows for the insured to waive subrogation rights prior to a loss.
Source: “How to Negotiate Cyber Insurance.” Rene L. Siemens and David Beck, Pillsbury Winthrop Shaw Pittman, LLP; Insurance Law Community; LEXIS-NEXIS communities.