10 Tips for Negotiating Your Cyber Insurance Policy
Published in INSIGHT - Summer 2018
By: James Bobotek
Cyber insurance provides critical protection against the legal and financial repercussions of a data breach, but policy terms vary widely among insurers. These 10 recommendations will help you negotiate the best terms for your association and stay ahead of the hackers.
Organizations of all sizes, across a wide spectrum of industries, have been increasingly exposed to network and data security breaches. This has triggered a fast-growing market for insurance products dedicated to covering cyber risks. With policies sold under names like “cyber insurance,” “privacy breach insurance,” “media liability insurance,” and “network security insurance,” and with premiums varying dramatically, the market for this coverage can seem chaotic.
Unlike more traditional insurance policies that contain similar terms, conditions, and exclusions no matter which insurer issues them, terms in cyber policies differ widely from one insurer to the next. When considering a cyber policy, it is crucial to understand not only what you are being offered, but also how to negotiate coverage for the risks inherent in your association’s operations.
Before you buy or renew a cyber policy, be sure to review and under¬stand these 10 important guidelines.
1. Buy Only What You Need
Many cyber policies provide an à la carte arrangement that includes the option to purchase seven basic coverages:
- Three involve third-party losses: privacy notification and crisis management expense, regulatory defense and penalties, and information security and privacy liability.
- Two involve first-party losses through what are commonly referred to as “time element” coverages: business interruption and extra expense.
- The other two, also first-party-related, provide “theft of property” coverages: data assets and cyber extortion.
With all the bells and whistles now offered by some insurers, consider the specific risks against which you wish to insure and whether you really need all of the coverages being offered. Always include notification and crisis management expense coverage, as well as regulatory defense coverage. Time-element coverage is also important, especially for small organizations, as lack of income for even a short period may be disastrous.
If an insurer is unwilling to remove an objectionable exclu¬sion or limitation from its policy, then ask your broker to get bids from other insurers. The cyber insurance market is highly competitive, with many insurers currently focused on building market share. One might be willing to provide coverage or terms that another will not.
2. Vet the Limits of Liability
One of the most important issues in negotiating cyber coverage is determining the appropriate limits of liability. The costs of responding to a data breach can be substantial. Because cyber insurance is relatively inexpensive, you should choose limits of liability in line with your total potential liability expo¬sure. Your broker should be able to assist you in determining appropriate limits by using its benchmarking databases.
Most cyber policies impose sublimits on some cover¬ages, such as for crisis management expenses, notification costs, or regulatory investigations. These sublimits are not always obvious, and they are often inadequate. Scrutinize them carefully and ensure that the insurer sets them realistically. Also make sure that the policy’s aggregate limit applicable to all coverages is not less than the total of all sublimits.
The cyber insurance market is highly competitive, with many insurers currently focused on building market share. One might be willing to provide coverage or terms that another will not.
3. Obtain Retroactive Coverage
Many cyber policies limit coverage to breaches that occur after a specified retroactive date—often, the policy’s inception date. This means there may be no coverage for breaches that occurred before the policy period, even if you did not know about the breach when you bought the policy.
Because breaches may go undiscov¬ered for some time before claims are made, always ask for a retroactive date that is earlier than the inception date. Insurers do not always offer retroac¬tive coverage unless asked, but it is commonly available for periods of one, two, five, or ten years. Some offer unlimited retroactive coverage.
4. Beware of Broadly-Worded Exclusions
It is not uncommon to find cyber in¬surance provisions that contradict an organization’s basic purpose in buying the coverage. Sometimes these provisions have been cut from other insurance policy forms and pasted into cyber insurance forms where they do not belong.
For example, some policies broadly exclude coverage for any liability arising from a breach of contract. Many organizations collect and store confidential information from customers, patients, or business partners under contracts that require them to maintain its confidentiality. They buy cyber insurance precisely to protect them in case a privacy breach gives rise to claims for damages under these confidentiality agreements.
Many insurers are willing to modify exclusions to make it clear that they will not bar coverage for claims that go to the core of the policyholder’s business. Be sure to review carefully any broadly worded exclusions and ask the insurer to narrow them so that they do not defeat your reason¬able expectations in buying cyber insurance.
5. Beware of Panel and Consent Provisions
Many cyber policies require that any investigators, consultants, or attorneys that the policyholder uses to respond to a claim be drawn from a list of professionals that the insurer has preapproved. If you would like your preferred consultants and attorneys to be involved in the event of a loss, ask to add their names to the insurer’s preapproved list during the underwriting process.
Cyber policies also often contain provisions stating that the policyholder must obtain the insurer’s consent before incurring any expenses to notify customers of a data breach, conduct forensic investigations, or defend against third-party claims. Insurers sometimes invoke these provisions to deny coverage when emergency costs have been incurred without the insurer’s consent, even if the costs are entirely reasonable and necessary. If prior-consent provi-sions are included in the policy you are considering and cannot be removed, you should, at a minimum, change them to provide that the insurer’s consent “shall not be unreasonably withheld.”
It is also a good idea to keep your insurer on speed dial when a breach happens so that it cannot assert that it has been kept in the dark about any emergency-response costs you incurred.
6. Pay Attention to How Defense Costs Are Allocated
When a lawsuit involves some claims that are covered by a cyber policy and others that are not, a question often arises: What portion of the policyholder’s defense costs must the insurer pay? Some provisions are more advantageous to the policyholder than others.
For example, some policies say that the insurer will pay all defense costs if the lawsuit alleges any claim that is potentially covered. Others stipulate that the insurer will only pay the costs that it unilaterally believes to be covered until a different allocation is negoti¬ated, arbitrated, or determined by a court.
These issues are less likely to arise under a “duty to defend” policy, where the insurer must assume the defense of any third-party claims. This type of policy typically covers all defense costs as long as any of the claims is poten¬tially covered. However, under a “duty to reimburse” policy, where the insurer agrees to reimburse the policyholder for its defense costs or pay them on its behalf, allocation is more likely to be disputed.
Be sure you understand the allocation method contained in the policy you are considering. Try to negotiate one upfront that is favorable to you.
7. Obtain Coverage for Vendor Acts and Omissions
Chances are that at least a portion of your organization’s data processing and storage is outsourced to a third-party vendor; therefore, it is crucial that your cyber policy covers claims against you that result from breaches caused by your data management vendors.
Most, but not all, cyber policies provide this “vicarious liability” coverage, and it is widely understood in the insurance indus¬try that policyholders expect coverage for claims that arise out of the acts and omissions of their vendors, consultants, and subcon¬tractors. If an insurer does not initially offer this coverage, or if the language is at all ambiguous, demand that the coverage be clearly included in the policy.
8. Dovetail Cyber Insurance with Indemnity Agreements
You should also ensure that your cyber policy and vendor indem¬nity agreements complement each other so you can maximize your recovery from both sources. Some cyber policies state, for example, that the deductible “shall be borne by the insured” and that, if potential claims are left uncovered by the policy, the insured “shall [remain] uninsured at its own risk.” Some insurers may interpret this language as requiring you to pay the deductible or self-insured retention out of your own pocket, and they take the position that if you get reimbursed for this amount from the vendor that caused the breach, then you have failed to satisfy this precondition of coverage.
This kind of clause can present you with a Hobson’s choice: either pursue indemnity from your vendor and give up your insurance or collect from your insurance company and let the responsible vendor off the hook. This unfair outcome is not in the interest of either insurer or policyholder. Insurers are often willing to modify these provisions to clarify that you can collect from a third party without compromising your insurance coverage.
9. Align Cyber Insurance with Other Insurance
Some cyber policies also cover claims against you for breach-related losses suffered while the data is in your vendor’s custody. In some cases, there may be good business reasons for vendors to be insured under your policy, but it is generally better to contractually require your vendors to obtain their own cyber insurance and to name you as an additional insured under that policy.
Then, your policy should state that it will apply to claims against you arising out of your vendor’s data breach only after that vendor’s insurance coverage has been exhausted. This structure can reduce the odds that your policy limits will be depleted by claims for which your vendors are primarily responsible.
10. Get a Partial Subrogation Waiver
If your insurer pays a loss, it may become “subrogated” to your claims against any third parties that were responsible for causing the breach. This means that the insurer can try to recoup its payment to you by pursuing your claims against the responsible parties. Many cyber policies contain a provision stating that you cannot take any action to impair the insurer’s subrogation rights.
One problem with such provisions in the cyber context is that contracts with data management vendors commonly include provisions that limit their liability. In such cases, your insurer may claim that you have breached your insurance contract by impairing the insurer’s recourse against the culpable vendor.
A possible fix is to insist that a partial “waiver of subrogation” provision be added to your cyber policy. These provisions, which are common in other lines of coverage, provide that the insurer will not assert that its subrogation rights have been impaired by any contract you entered into before a loss occurred.
Some insurers are willing to agree to such provisions in the cyber context, but others may not be. If your insurer is not willing to give a partial subrogation waiver, you should consider shopping elsewhere.
James Bobotek is a partner with Pillsbury Law. He can be reached at email@example.com