Some Cyber Insurance Policies Not Ready for the Big League
GAPS REMAIN EVEN NOW
Cyber insurance has been in the market for quite a few years now. When an insurance product has been around long enough it eventually becomes standardized. Not so, yet, in the cyber market, so care is needed.
Even to this day gaps abound. Some examples from policies proposed by brokers/insurers in mid-2019:
Cloud Applications Not Recognized
“Security Failure” is defined in the policy to include breaches of “the insured organization’s computer system,” with no definition of computer system. In response to request for broadening/defining the scope, broker argues computer system means it, and everything connected to it. Our plan in negotiating insurance language is not to hope a friendly court agrees with the broadest possible interpretation. Rather our goal is to provide clarity and certainty. We demand language that is available in the market which defines computer system and/or network to be broad enough to encompass the client’s operations. Here is one example:
Lack of Clear Coverage for Insider Fraud/Hack
Insider exploits may not be frequent, but they can be the most severe of all cyber losses. Disgruntled employees, with an insider’s keys and access, have caused total destruction to their employers’ systems and data.
We certainly need secure coverage for these actions. But, some policies are woefully deficient in how this is covered. An example:
The language of this proposed policy provided insider coverage except for actions by “senior executives.” We would prefer a very narrow definition of senior executive of course, but the definition in question was:
As you can see this definition goes on and on, including some of the positions we would be most concerned about like “chief information security officer.” To totally ensure no claim would survive this same policy also specifically excluded claims related to “employment practices” excluding from coverage any claim “directly or indirectly arising from”:
Only key top management can be properly excluded and no employment practices exclusion should appear in a cyber policy.
No Coverage for Data Breach of Third Party Corporate Data
In one proposed policy we trouble- shot, there was coverage for personal data but not corporate data.
A data breach can result in liability for exposing another party’s confidential information. These other parties can be employees or other persons, or they can be companies with whom you do business.
In the case in question, covered Data Breach is defined as breach that exposes “personally identifiable information” (PII) defined as follows:
What about that business data we were looking for? Nowhere in sight.
What we need is for covered data to include both PII and business related data such as was defined as Third Party Information in the acceptable policy we did adopt:
Not ready for the big league! Too many amateurs still prowling the hallways of the insurance industry.
(c ) Licata Risk & Insurance Advisors, Inc. 2019
Frank Licata
[email protected]; 617.718.5901
Sep 13, 2019