Brokers around the globe are proselytizing about insurance for cyber risks. They say gaps in typical business coverages leave companies exposed to high costs and potentially extraordinary liability without coverage specifically tailored to cyber risks (including, but not necessarily limited to, data breach). And these brokers are right. The brokers, however, are sometimes wrong in encouraging their clients to opt into cyber coverage policies that are far less than ideal.
Recently, a client asked me to review various cyber coverage options presented to it by its broker. The broker had told the client that the cheapest option was, fortunately from the broker’s perspective, the best option. But as I reviewed the various cyber coverage forms, I was reminded that you often get what you pay for.
A marginally more expensive policy had various coverage advantages over the cheaper policies that more than justified the extra expense. I recommended that the client ignore the advice of the broker and opt into the more expensive option and, fortunately, the client agreed.
Here are some (but not all) of the distinguishing characteristics that made that more expensive policy preferable and that companies should be on the lookout for when evaluating cyber coverage options:
- The more expensive policy, in contrast to other options, was a “pay on behalf of” policy rather than a reimbursement policy. That meant that above the self-insured retention and below the limit, the insurance company was agreeing to pay covered expenses directly rather than having the insured pay and submit those expenses to the carrier for reimbursement. I generally do not like reimbursement policies because they force the insured to pay for costs up front out of its own pocket; even if a request for reimbursement is submitted immediately by the insured, the carrier often delays payment significantly (perhaps for months), and the reimbursement method allows the carrier to challenge costs after they are incurred and try to pick and choose which costs it will and will not reimburse. A “pay on behalf of” policy is generally far superior to a reimbursement policy.
- The more expensive policy had no sub-limits for the various types of coverages. All other things being equal, I prefer a policy without sub-limits. For instance, a policy that covers first-party data breach response services may sub-limit data breach notification costs to $250,000, even though the policy in other respects provides $2 million in coverage. What if the data breach involves one million data subjects? The costs of notification are certainly going to be more than $250,000. And what if the policy has no sub-limit for coverage of public relations services, and the insured views the notification expense to be part and parcel of the public relations strategy? Then there likely will be an argument with the carrier about whether the $250,000 notification sub-limit applies to those costs. It’s best to avoid these sorts of issues by having as few sub-limits in the policy as possible.
- The more expensive policy carved out from the breach-of-contract coverage exclusion costs, assessments and penalties related to Payment Card Industry Data Security Standards (PCI DSS) compliance after a data breach. Given that those costs, assessments and penalties can be hundreds of thousands or even millions of dollars, and that they sound in contract, this sort of exclusion carve-out is critical. The cheaper policies had no such carve-out from the breach-of-contract coverage exclusion.
- The more expensive policy expressly covered costs and fines related to regulatory scrutiny, whereas the cheaper policies did not. Given that cyber episodes tend to draw federal and state regulatory scrutiny and fines, this sort of coverage is critical and any cyber policy that excludes it should be significantly cheaper in comparison to justify this rather substantial hole in coverage.
- The more expensive policy provided for a limited period of free initial legal consultation in the event of a cyber security incident, whereas the other policies did not. That free limited period of consultation is critical to encourage insureds to reach out sooner rather than later to outside counsel designated by the carrier to determine whether and to what degree more action may be required and to envelop the response in attorney-client privilege to the extent possible. As is now widely recognized in the cyber risk realm, having outside counsel serve as a general contractor of sorts (or “data breach coach”) over a cyber response plan is highly preferable to employing self-help internally, particularly when the people providing that self-help may be motivated to cover up their own errors. The cheaper policies did not offer this free initial consultation with counsel designated by the carrier.
Cyber coverage is a critical part of any company’s insurance portfolio. But in securing that coverage, companies should strongly consider obtaining counsel familiar with the entire range of first-party and third-party cyber risks review the options before binding coverage.