Some Considerations in Insuring Against Cyber Loss
By Derek Cowan
The purpose of any insurance policy is to manage or transfer the risk of unfavorable occurrences away from the insured. For millennia, insurance policies have existed to transfer the risk of hazards which cause damage to property. For centuries, policies have existed to transfer the risk of injuries or damages arising from individuals’ negligent acts.
However, because of the relative infancy of electronic data qua property and the accelerating pace at which bad actors can surreptitiously access this immensely valuable data, insurance products suitable for adequately managing the risks of loss in this sui generis realm are playing a frustrating and expensive game of “catch-up.” Individuals and entities are wise to cautiously explore their specific risks in this arena and the ways in which they can effectively “insure away” their exposures. In the 1990s, insurance carriers began to address this need by issuing dedicated cyber insurance policies to help businesses and individuals protect themselves from internet-based risks associated with information technology activities.
Generally, the hazards that can befall electronic data are threats to privacy: customers entrust private health, financial or identity information with a vendor or service provider, and miscreants, typically motivated by illicit profit, access, disseminate or otherwise exploit the private information. Other risks are the direct compromise or loss of an individual’s or enterprise’s own confidential information or intellectual property.
Cyber insurance policies frequently provide both first- and third-party coverages. First- party losses involve direct loss suffered by the insured, while third-party claims are for damages claimed by another for which the insured may be answerable. The first-party losses insured include: property damages to a business’ intangible assets, such as software or electronic date; theft of a company’s proprietary information or its consumer data; costs associated with business interruption resulting from a breach; damages to other company assets caused by viri or malware; expenses incurred in restoring an entity’s systems following a breach, including both software and hardware replacement; reimbursement for the fraudulent transfer of the company’s money, property, securities, etc. and “crisis management” expenses necessary to rehabilitate the insured’s reputation and goodwill.1
Predictably, a cyber insurance policy’s third-party coverages involve losses realized by other parties who have entrusted, implicitly or explicitly, their valued electronic data with the insured. Typical third-party losses include: damage to the property of a third party; denial of access of the third party to its own data held by the insurer; losses arising from unauthorized use of the third-party’s confidential information; claims against the insured of instituting insufficient measures to protect the third-party’s confidential information; expenses thereafter incurred by the third party in defending against regulatory actions or its own third-party suits.2
As another interesting facet of potential third-party exposure, some companies provide “conduit liability coverage,” which covers losses for which one insured may be found partially or wholly liable as a result of cybercriminals using a breach into that insured’s network to then directly access the network of the insured’s vendor or customer.3 As computer networks of corporate allies become increasingly interconnected, one otherwise-impregnable system can be easily compromised if the system of a less-vigilant vendor, partner, subsidiary or customer has gaps. An example that illustrates this appropriated access to confidential information was a 2013 breach of retailer Target’s protected electronic data. Hackers first accessed the computer system of a company that provided heat and air services to Target. For reasons that must have seemed necessary to a (certainly) now-former Target decision maker, inadequately-protected connections between the HVAC contractor’s system and that of Target’s existed. Hackers’ access to an obscure mechanical contractor’s data system yielded entry to a massive cache of Target’s information, including customer names, addresses, dates of birth and account numbers.4 Conduit coverage was designed to address liability concerns for this unique scenario.
Still another consideration related to liability for breaches arising from the acts or omissions of business partners of the insured is the interplay between the frequently present indemnity clauses in contracts with independent contractors and the insurer’s rights to subrogation. Under such coverages as conduit liability coverage and the like, an insurer may cover third-party liability claims for losses occurring as a result of lax electronic security of the insured’s independent contractors or other service providers. Under conventional tenets of insurance, the insurer would thereafter have a right of subrogation to recover the benefits paid under the policy from the party that actually caused the loss, i.e., the independent contractor. However, many contracts between principals and their independent contractors contain indemnification clauses, under which the principals (insureds) contractually agree to shift liability for independent contractor’s acts or omissions back to the principal. Thus, the insured’s contract may jeopardize its cyber coverage if the carrier is prohibited from seeking subrogation from the protected contractor. Insureds who frequently deal with independent contractors must evaluate their existing subcontracts to determine if this potentially coverage-nullifying condition exists. If so, they may need to renegotiate their contracts.5
HOW TO BEGIN AN ANALYSIS OF SPECIFIC CYBER EXPOSURES
As more cyber insurance policies come to market, more specialized options become available to insureds. Therefore, the savvy risk manager must an-swer an increasing number of questions suited to her company’s particular custody and use of electronic data, whether that data is the company’s own or that of a vendor, partner or customer, what levels of protection the company is expected (or required) to maintain for that data, and, of course, what coverage can the enterprise afford. Among the growing number of questions necessary to begin the analysis are:6
1) How does the policy define a breach? Because of the occasional lag-time between a breach and confirmation thereof, the value of the exposure increases as time goes by. Additionally, the complexity of computer systems and the forensic examinations necessary to confirm a breach add to the discovery time. As such, the spectrum of coverage for a breach may run from when the breach is “reasonably suspected” to when the breach is definitively confirmed. Such timetables institute obligations upon the insured to maintain adequate protection and notification mechanisms, respond timely and meaningfully to potential threats and ad-dress actual breaches immediately.
2) Does the policy have “minimum security requirements” or the like that must be implemented and maintained on the company’s system and, if so, does it clearly define those requirements? As noted above, that an in-sured will have some form of firewall or other mechanisms in place to safeguard electronic data is not merely assumed, it can be required by the policy. More and more carriers are not simply insuring against a breach, but are making demonstrable, baseline network security measures conditions precedent to coverage for a breach. By adhering to a uniform level of minimum system security across the board of insureds, carriers can better anticipate the kinds of losses insureds will suffer and can better estimate the severity of those losses for underwriting purposes.7
3) Does the policy provide retroactive coverage and can more-distant retroactive coverage be purchased if desired? The retroactive date is the date before which a policy will not extend coverage for a breach, even if the breach is discovered or reported during the policy period. As described above, an effective breach is one that goes unnoticed for some length of time. It is common for a breach to occur months or years before discovery. When incepting a policy, the insured must take this potentiality into account and must determine how much retroactive coverage is needed (or, more likely, how much can be afforded). Clearly, the more remote the retroactive date, the greater the uncertainty of risk, hence, the higher the cost. The policy will be of no utility, however, if the triggering event occurred on a date before the policy is in force.8
4) How does the policy treat mobile devices used to access the company’s data? Again, as so many systems become more intertwined, the “weak link” theory becomes more pressing and more problematic. As with conduit liability exposure, the proliferation of mobile devices used by a company’s employees (or, frighteningly, also by those of its vendors, partners or customers) create innumerable possible access points to a company’s vault of confidential data. Some policies may provide coverage for breaches facilitated through mobile or peripheral devices; others may not.
5) In the likely case the company’s jurisdiction enforces regulatory requirements to notify third parties potentially affected by a breach, does the policy provide coverage for costs incurred in notification pursuant only to those requirements, or for all notifications? Oklahoma is one of the 48 states with statutory or regulatory requirements that the custodian of confidential or encrypted personal data must notify the affected owners of such data in the event of a breach.
“An individual or entity that owns or licenses computerized data that includes personal information shall disclose any breach of the security of the system following discovery or notification of the breach of the security of the system to any resident of this state whose encrypted and unredacted personal information was or is reasonably believed to have been accessed and acquired by an unauthorized person and that causes, or the individual or entity reasonably believes has caused or will cause, identity theft or other fraud to any resident of this state.”9
While Oklahoma’s Security Breach Notification Act does not allow a private right of action to an aggrieved citizen, it does provide that the attorney general or a district attorney may bring action against the entity failing to abide by the notification requirements, and may recover either actual damages or a civil penalty not exceeding $150,000 per breach.10 Oklahoma’s notification requirements are relatively broad, requiring immediate notification to affected residents following “access” that the entity maintaining the breached system “reasonably believes…will cause  identity theft or other fraud[.]” Therefore, any cyber policy providing coverage for notification costs incurred in furtherance of the statute by an entity holding personal information of Oklahoma residents would likely respond to the vast majority of circumstances under which the entity might need to provide notification, notwithstanding statutory requirements. However, other jurisdictions’ notification requirements may be more relaxed; they may require notification only after some showing of exploitation of the protected data. (Oregon’s counterpart statute defines a security breach as an “unauthorized acquisition of computerized data that materially compromises the security, confidentiality or integrity of personal information.”11 Washington’s statute also requires the breach to “compromise the security, confidentiality or integrity of personal information” before requiring notification).12 The astute risk manager will either review the notification standard(s) for the state(s) of residency of the owners of the protected information they will hold and will purchase coverage consistent with those notification requirements, or will err on the side of caution by obtaining coverage for notification costs based upon the most inclusive definition of “security breach” available.
As with any emerging trend in jurisprudence, what is wise counsel one day may appear foolhardy the next. But the fallback position of “We aren’t entirely sure what this stuff is, so you’d better buy every kind of coverage you can” may be unnecessarily alarmist. Individuals or entities who maintain confidential electronic data are well-advised to incorporate risk management techniques to protect the enterprise from what is, unfortunately, becoming the “when, not if” probability of a breach by unauthorized persons. Companies should be careful not to rely upon a clause in their commercial general liability policy with the heading “Cyber Risk Coverage” and hope it will adequately address their specific needs. On the other hand, companies need not indiscriminately check every box on the cyber policy application to ward off the unknown, nor should they shy away from seeking cyber coverage on the assumption tailored coverage will be prohibitively expensive. As market players’ sophistication increases, refinement of the insurance products offered to suit this new need will also progress. Soon, decision makers will be equally accomplished in calculating and managing cyber risks as they currently are with property or liability risks.
Author’s Note: The author expresses his gratitude to Maegan Murdock for her research assistance on this topic.
1. Bailey, Liam M.D., “Mitigating Moral Hazard in Cyber-Risk Insurance,” 3 J.L. & Cyber Warfare 1 (Spring, 2014).
3. Pinguelo, Fernando M.; Stio, Angelo A. III; and Ibrahim, Hasan, Crisis Management: Electronic Data and Cyber Security Considerations, eDiscovery for Corporate Counsel, §17.8 (March, 2017).
4. Podolak, Gregory D., “Insurance for Cyber Risks: A Comprehensive Analysis of The Evolving Exposure, Today’s Litigation, and Tomorrow’s Challenges,” 33 Quinnipiac L. Rev. 369.
5. Pinguelo, Stio III, and Ibrahim, Id.
6. Pinguelo, Stio III, and Ibrahim, Id.
7. Greenwald, “Insurer Cites Cyber Policy Exclusion to Dispute Data Breach Settlement,” Business Insurance (May 15, 2015).
8. Wood and Gold, “When it Comes to Cyberinsurance, Buyer Beware: 10 Tips for Upping Recovery Odds from Cyber and D&O Policies.” Metropolitan Corporate Counsel (July 17, 2015).
9. 24 O.S. §163(A).
10. 24 O.S. §165(A) and (B).
11. Oregon Rev. Stat. §646A.600 et seq.
12. Wash. Rev. Code §42.56.590 et seq.
ABOUT THE AUTHOR
Derek Cowan is an attorney with the firm of Nelson, Terry, Morton, DeWitt & Paruolo in Edmond, where he practices in the areas of insurance defense, coverage and bad faith litigation.
Originally published in the Oklahoma Bar Journal --
OBJ 88 pg. 1983 (Oct. 21, 2017)