December 16, 2022
5 Tips for Getting the Best Cyber Coverage
1. Obtain Retroactive Coverage
Many cyber policies are claims-made, meaning they will only cover incidents that occurred during the policy period.
Let’s say your cyber policy has an inception date of January 1, 2022, and several days later you discover that three months previously you started having cyber breaches. The incidents that occurred prior to January 1, 2022, will not be covered under a claims–made policy. The solution is to buy coverage extending back 2, 4, 6 or even 10 years, unless you can simply buy an occurrence form.
2. Beware of Panel and Consent Provisions
Many cyber policies require that the investigators, consultants or attorneys used to respond to a cyber claim must be drawn from a preapproved list. If you have consultants you would like to work with in the event you have to file a claim, ask that they be added to the list.
As James Bobotek, a partner at Pillsbury Winthrop Shaw Pittman in McClean, Virginia, points out, “Cyber policies also often contain provisions stating that the policyholder must obtain the insurer’s consent before incurring any expenses to notify customers of a data breach, conduct forensic investigations, or defend against third-party claims.
Insurers sometimes invoke these provisions to deny coverage when emergency costs have been incurred without the insurer’s consent, even if the costs are entirely reasonable and necessary. If prior-consent provisions are included in the policy you are considering and cannot be removed, you should, at a minimum, change them to provide that the insurer’s consent ‘shall not be unreasonably withheld.”
3. Pay Attention to How Defense Costs Are Allocated
Sometimes lawsuits involve claims covered by a cyber policy as well as claims that are not. What portion of the policyholder’s defense costs will be paid from the cyber policy?
As James Bobotek points out, some policies say that the insurer will pay all defense costs if the lawsuit alleges any claim that is potentially covered. Others stipulate that the insurer will only pay costs that it unilaterally believes to be covered unless or until a different allocation is negotiated, arbitrated, or determined by a court.
These issues are less likely to arise under a “duty to defend” policy, where the insurer must assume the defense of any third-party claims. This type of policy typically covers all defense costs as long as any of the claims are potentially covered. However, under a “duty to reimburse” policy, where the insurer agrees to reimburse the policyholder for its defense costs or pay them on its behalf, allocation is more likely to be disputed.
Be sure you understand the allocation method contained in the policy you are considering. Try to negotiate one that is favorable to you.
4. Be Sure You Have Coverage for Vendor Acts and Omissions
At least a part of an organization’s data may be outsourced to third parties. It’s crucial that your policy cover you for breaches they may cause. Most but not all cyber policies cover “vicarious liability” for acts and omissions of vendors, consultants and sub-contractors. Be sure your policy language is not ambiguous about this.
That said, you should also require that vendors and others in whose care you place your data have adequate cyber insurance themselves and name you as an additional insured. Get a certificate of insurance.
Also, your policy should state that when their insurance applies, your insurance should only apply after the vendor’s insurance coverage has been exhausted.
5. Get a Partial Subrogation Waiver
When you have a loss, your insurer is typically “subrogated” to any claims you may have against third parties. This allows your insurer to recover funds they paid to you by going after your vendors if they were culpable for those losses. To fortify your insurer’s rights in that respect, your policy may say that you cannot do anything to impair your insurer’s right to subrogation.
The problem is that many contracts with data managers state that their liability to you is limited. That can put you in breach of your insurance contract. The way to fix this problem is to obtain a partial waiver of subrogation for your cyber policy. This will provide that the insurer will not assert that its right of subrogation has been impaired by any contracts you entered with vendors prior to a loss.