Cyber Liability Policies – Who Needs Them?
Cyber insurance appears to still be a mystery, although the first cyber liability policies appeared 20 years ago. What is covered? What is excluded? Why does the customer need it? Does the customer need it? All of these questions and more come to mind when we consider cyber liability.
One of the struggles comes from the fact that the policy forms are different from each other, and we don’t really know what’s in the forms. They look so different and don’t have the names that we’re used to.
Let’s look at a few coverages in a cyber liability policy that you should verify for your customer. As you know, you need to look at the policies that you’re dealing with to find out what’s covered for your customer. This might give you some direction as you have conversations centered on your cyber liability policies.
“We” shall pay on “Your” behalf “Regulatory Fines,” “Consumer Redress Funds” and “Claim Expenses” that “You” become legally obligated to pay in excess of the applicable retention resulting from a “Regulatory Claim” first made against “You” and reported to “Us” during the “Policy Period” or “Extended Reporting Period,” arising out of a “Privacy Wrongful Act” occurring after the “Retroactive Date” and before the end of the “Policy Period.”
Can you imagine getting a call from a customer saying that not only did they suffer a data breach, but now a regulatory body called them, and they plan to levy some fines or penalties against them? This coverage is designed to pick up these expenses.
You see several defined terms here (because you already expect that every word in an insurance policy in quotation marks is defined in the policy). These defined terms will help us to understand what is covered by this coverage. This coverage applies to three distinct areas of financial responsibility.
“Regulatory Fines” means fines, penalties or sanctions awarded for a violation of any “Privacy Regulation”.
“Consumer Redress Funds” means any sums of money “You” are legally required to deposit in a fund for the payment of consumers due to a settlement of, or an adverse judgment in, a “Regulatory Claim.”
“Claims Expenses” means … We didn’t give the whole definition for claims expenses because it’s more important to realize that this is included in the coverage. Watch this language. In case you missed it as quoted, go back and read it. The paragraph listed “regulatory fines,” “consumer redress funds” and “claims expenses” within this coverage. Expenses are within the policy limits. That means that every dollar spent in investigation, adjusting, settling or defense comes out of what’s available to indemnify the customer.
These other two items that are covered here are meant to provide funds when a regulator deems the customer to have violated any regulation ‘… requiring “You” to limit or control the collection, use of, or access to, “Private Information” …’ this coverage picks up the costs as defined in the policy. You’ll notice that the costs include the fees, fines or penalties that the regulator assess. You’ve likely noticed that there isn’t mention of which regulator had to levy the fines. There aren’t those kinds of boundaries online. Your customers could have customers all over the world. This means that the regulator might not even be local to the insured.
They also include any sums that a settlement or judgment requires to be set aside for the satisfaction of injuries to the affected consumers. Why not simply pay the consumers affected by the breach? In these cases, the insured may not know immediately who was affected. You’ve seen stories where millions of users’ data was compromised. Those companies didn’t know whose data was compromised or what the impact of the compromise was. In truth, the injured parties may not know there is an issue for months or years down the road.
Let’s look at one more critical coverage in this policy.
“We” shall reimburse “You” for the “Cyber-Extortion Expenses and Cyber-Extortion Payments” that “You” actually pay in excess of the applicable retention directly resulting from a “Cyber-Extortion Threat” that “You” first receive and report to “Us” as soon as practicable during the “Policy Period.”
We live in a time when someone can email your company and infect your entire network with ransomware. If you’re not aware, ransomware is a nasty little bit of computer magic that is described in the policy.
“Cyber-Extortion Threat” means a credible threat or connected series of threats made by someone other than a member of the “Control Group.”
To introduce “Malicious Code” into “Your” “Computer System,”
To interrupt “Your” “Computer System” or interrupt access to “Your” “Computer System,” such as through a “Denial of Service Attack.”
To corrupt, damage or destroy “Your” “Computer System;” or
To disseminate, divulge or improperly utilize any “Private Information” on “Your” “Computer Systems” taken as a result of a “Network Disruption.”
You’ll note that the only notice requirement is to let the company know as soon as practicable. They recognize that the need for coverage may be identified in short order before the event occurs. The insured might be contacted about a possible event and have only a short time before it occurs. Of course, you see that this definition is full of defined terms in the policy. Without diving into all of the specifics of this policy, you can see that the intent is to provide coverage when something bad is getting ready to happen (or already happened) to an insured’s computer system.
It’s also important to note that the payment is for “cyber-extortion expenses” and “cyber-extortion payments” that have been incurred. We would learn in the definitions of those phrases that the company maintains the right to approve the expenses before they are incurred. Paying attention to those kinds of details is the difference between a claim being fully paid quickly and fully denied quickly.
There are more coverages within this policy, including security breach response, security liability, privacy liability and business income. We come back to one of the original questions. Who needs a cyber policy? The answer simply is anyone that has a cyber exposure. Who has a cyber exposure? Any organization that has computers connected to the internet and to each other. This particular policy also includes coverage if the company’s employee’s data is compromised. What company today doesn’t have some employee data on their network?