Despite the ever-rising prevalence of cyberattacks, the field of cyber insurance is still relatively new and evolving.
Insurance companies are constantly rewriting their cyber insurance policies in response to the evolving nature of the risks. As cyberattacks grow in sophistication, insurance companies, attempting to minimize their potential exposure, are drafting newer policies attempting to impose greater burdens and conditions upon corporate policyholders.
While every policy is different, there are some recurring issues that insurance companies raise to avoid paying out the full amount of a cyber claim.
Savvy policyholders who are aware of these common issues, outlined below, will be able to effectively navigate around them, thereby maximizing their potential insurance recovery in the event of a cyber-related loss.
This article examines some typical policyholder mistakes that insurance companies have used as a basis to reduce coverage.
1) Complete Your Cyber Applications with Your IT Security Officer or Employee
Cyber insurance applications have become more specific and targeted in their questions about your cybersecurity infrastructure and controls. Insurers may use any inaccuracies in your application responses as a basis to try to avoid coverage.
For example, a 2019 cyber renewal application from Travelers Casualty and Surety Company of America asks applicants whether they have up-to-date active firewall technology; up-to-date active antivirus software on all computers, networks and mobile devices; a process to regularly download and install patches; a disaster recovery plan; multi-factor authentication; data encryption practices; and are compliant with Payment Card Industry Security Standards.
Such technical questions are generally beyond the knowledge of the non-IT personnel who are typically responsible for insurance application submissions.
In addition to requiring detailed applications, it is not uncommon for insurance companies to now require separate attestations forms for specific security controls.
Such attestations may list minimum requirements that must be in place in order to obtain cyber coverage.
One insurance company’s multi-factor authentication attestation form, for example, asks applicants not only whether they have multi-factor authentication for employees when accessing the system through a website or cloud-based service (for example, when logging in remotely from home), but also for internal, non-remote access to the administrative directory, firewalls, routers, endpoints and services (for example, when logging in directly from the office).
When filling out such applications, it is important to remember that any inaccuracies may be used by the insurance company as a basis to deny your claim.
This is particularly a concern in those jurisdictions, like New York, that allow an insurer to rescind a policy based on a material mistake in an insurance application – even when that mistake was not willfully made by the policyholder.
(See N.Y. McKinney’s Insurance Law § 3105, which allows insurance company to rescind a policy based on a material misrepresentation in an insurance application if the insurer can demonstrate that it relied on that misrepresentation in issuing the policy; willfulness on the part of the policyholder is not required.)
Because an inadvertent error in completing a cyber application arguably may be used as a basis to deny coverage, the application should be completed either by an IT security officer or employee or in close consultation with one.
2) Identify and Address Cybersecurity Vulnerabilities Before an Attack
Regularly evaluating your system for vulnerabilities and timely installing patches not only helps to prevent cyberattacks, but it also minimizes an insurance company’s ability to deny coverage for your remediation and recovery costs on the basis that such costs constitute improvements to your system.
A cyber policy may be written to bar coverage for system “upgrades,” “enhancements,” or “improvements.”
If your policy contains such provisions, your insurance company may argue that certain system recovery costs are for unnecessary improvements and attempt to deny those costs on the basis that the cyber policy is not meant to cover a policyholder’s enhancements to its pre-attack system.
3) Hire Cyber Experts Preapproved by Your Insurance Carrier if Your Policy So Requires
Cyber insurance policies may only cover cyber costs that are incurred through the use of insurer-approved cybersecurity professionals.
Before hiring any outside cyber consultants or performing any forensic investigatory, restoration, or recovery work on your system, check your policy to determine whether it requires you to select from a pre-approved list of insurer-designated consultants. Some policies allow the policyholder to hire a cyber consultant that is not on the insurance company’s list of designated professionals, but only with prior written approval from the insurance company.
If you hire someone not on the insurance company’s pre-approved list of cyber professionals and fail to obtain the insurance company’s advance written approval for the retention, the insurance company may use this as a basis to try to deny or reduce coverage for your claim.
Generally, it is good practice to review your policies before a loss happens and do so on a sufficiently regular basis (e.g., semi-annually) that you are familiar with their coverages, requirements and limitations.
4) Review and Notice All Non-Cyber Policies that Potentially Cover Your Claim
Review your non-cyber policies to determine whether they potentially cover cyber-related losses and provide what insurance companies misleadingly call “silent cyber” coverage (it’s not “silent” if the coverage grant encompasses it).
Such potential coverage may be found in your general liability policy, first-party property policy, D&O policy and crime insurance policy, among others.
For example, a crime insurance policy may cover the ransom paid to attackers to release access to your system, files, and information as a result of a ransomware attack.
This is similar to G&G Oil Co. of Indiana, Inc. v. Cont’l Western Ins. Co. (Ind. Mar. 18, 2021), which concluded that ransomware payment might be covered under crime policy’s “computer fraud” provision, even though policyholder denied policy extension for computer hacking and virus coverage. This case was remanded back to trial court.
5) Your Policy May Require You to Mitigate Damages from a Cyberattack, But Do Not Assume that the Insurance Company Will Agree to Pay Your Mitigation Costs
Just because the policy requires you to mitigate damages from a cyberattack, do not assume that the insurance company will agree to cover your mitigation costs.
If the policy does not explicitly say that it covers mitigation costs, the insurance company may attempt to disclaim coverage for such costs that are not otherwise expressly covered under one of the coverage provisions of the policy.
For example, if you use your own IT and cybersecurity salaried employees to respond to an attack, the insurance company may refuse to cover the employees’ salaries for the time when they were responding to the attack, and it may argue that it has no obligation under the policy to cover employee salaries, because those are part of the policyholder’s normal operating expenses and would have been incurred in the absence of the cyberattack.
The insurance company may claim such costs are not covered even though your IT employees are working exclusively to respond to and recover from the cyberattack and are not otherwise performing their regular tasks and duties.
Additionally, the insurance company may decline coverage even though the use of your own employees ultimately reduces your cyber-related losses (as well as the insurance company’s potential exposure) and allows you to resume operations faster because of your employees’ familiarity with your system and their ability to commence breach response immediately.
6) Do Not Assume that the Insurance Company Is Operating to Protect Your Interests
One common policyholder mistake is to assume that insurance companies’ interests are aligned with theirs. Assume, rather, that the goal of insurance companies is to maximize their profits and that they will deploy every coverage defense and policy exclusion available to reduce their payouts.
In the context of cyber liability insurance, specifically, the insurance company may require you to hire a forensic accountant or cyber claims consultant from their designated list of valuation experts to assist in valuing your cyber claim.
In such instances, do not assume that the insurance-company-recommended expert represents your interests.
That valuation consultant is beholden to the insurance carrier, which it views as a source of repeat business – and not to you. If you find yourself in that situation, it is best to retain your own independent professional, skilled in cyber liability insurance claims, to counsel you in your dealings with both the insurance company and the third-party valuation consultant.
Insurance is likely to be the last thing on your mind, or certainly not at the top of your list, when you have suffered a cyberattack. For this reason, it is important to plan ahead, educate yourself, and know and understand your rights and obligations under your cyber policy and other potentially responsive policies now, so that you are better able to protect your business in the event it ever experiences a cyberattack. &