Posted In: Insurance Recovery
The left hand takes away: Exclusions to watch for in your Cyber-Risk Policies
on March 25, 2015
Earlier in the year, Alexandra Dattilo warned us that data-breaches may not be covered by the typical commercial general liability (CGL) policy. And, indeed, insurance companies are fighting a two-front war to keep data-breaches out from the coverage provided by CGL policies. In the courts, the insurers are arguing that CGL policies never covered data breaches. And in the market, they are selling policies subject to exclusions aimed at carving out liability for all manner of cyber risks.
But just as CGL policies are phasing out coverage for data-breaches, the risk of a data-breach has never been greater. The news is replete with examples. Anthem, Home Depot, Sony—they, and so many others, have all been the victims of recent data breaches. And according to the Ponemon Institute, which studies information and privacy management practices, even more data breaches could be in store for 2015. (Ponemon Institute, 2014: A Year of Mega Breaches, at pg. 1, available for download here.)
So, with CGL policies shrinking from the growing risk of data-breaches, how does your business protect itself? A cyber-risk policy might be the answer.
Now, the first thing you need to know about a “cyber-risk” policy is that there is not one such thing, but many. A number of insurers offer different products, whose terms and conditions vary from policy to policy. In general, though, policyholders can purchase insurance that protects against the following risks:
- Data Breach
- Regulatory Investigation
- Misappropriation of Intellectual Property
- Transmission of Malicious Code
- Data Recovery
- Business Interruption
- Extortion
But beware: What a cyber-risk policy gives with its right hand, the left hand can just as easily take away. And in fact, many of these policies are subject to exclusions, which may defeat the purpose for obtaining the coverage in the first place.
For example, some policies may over-restrict the coverage territory, such that they apply only to claims made in the United States. The internet is international, so in order to truly protect against all risks, the policyholder needs coverage against claims no matter where they are made.
Also, some policies contain exclusions for “failure of security,” which require the policyholder to maintain certain minimum levels of data security, or else forfeit coverage. Depending on how broadly these provisions are worded, they may make the insurance hardly worth the cost. After all, the main reason to buy cyber insurance is to protect against the risk that the policyholder’s security measures will fail, either through negligence or otherwise.
If your company collects sensitive data, as most companies do, at least with respect to their employees, you may want to purchase one of the various cyber policies. Work with your insurance broker to identify which policy is right for you.
This blog is intended to provide information generally and to identify general legal requirements. It is not intended as a form of, or as a substitute for legal advice. Such advice should always come from in-house or retained counsel. Moreover, if this Blog in any way seems to contradict advice of counsel, counsel's opinion should control over anything written herein. No attorney client relationship is created or implied by this Blog. © 2024 Brouse McDowell. All rights reserved.