pillsburylaw.comPillsbury Winthrop Shaw Pittman LLP
Don’t Wait Until It’s Too Late:
Top Ten Recommendations
For Negotiating Your Cyber
Insurance Policy
By James P. Bobotek
As more and more companies of all sizes ranging across a wide spectrum of industries
have been exposed to network and data security breaches in recent years, the market for
insurance products dedicated to cover cyber risks has grown just as fast. With policies
sold under names like “cyberinsurance,” “privacy breach insurance,” “media liability
insurance,” and “network security insurance,” the market for this coverage often seems
chaotic, with premiums and terms varying dramatically from one insurer to the next.
Unlike more traditional insurance policies
that contain very similar terms, conditions
and exclusions no matter which insurer
issues them, cyber insurance policies are far
from uniform. Prior to placing or renewing
a cyber policy, it is therefore crucial to
understand not only what you are being
oered, but also how to negotiate coverage
for the risks inherent in your business.
Every policy’s coverage is dierent. Before
you buy or renew a cyber policy, be sure
to review and understand the following
guidelines.
Perspectives
on Insurance Recovery
Summer 2015
Welcome to th e latest edi tion of Pillsb ury’s
Perspect ives on Insuran ce Recovery. Wh ether
you need an advo cate in a disput e with carrie rs,
or some advi ce on the placement o f coverage,
you can count on P illsbury ’s team of 25 at torneys
in five of fices across the co untry to pr ovide you
with kn owledgeable, e fficient and p ractical
assist ance. As this 2 015 edition of P erspectiv es
demonst rates, our tea m is working on t he most
challenging issues—from cyber-insurance and
complex claim s arising out of m ajor disaster s, to
coverage dis putes arising f rom the expl osion of
merger-related litigation.
Pillsbur y’s team is also h andling an unusual
number of ins urance coverage t rials this year,
including a hig h-profile ba d faith case again st
AIG in Cali fornia. Am ong major law firms w ith
insurance re covery pract ices, Pillsbur y’s
abilit y to pursue such clai ms free of confl icts is
becoming increasingly unusual.
We hope you enjo y this editio n, and welcome
any feedback .
Peter Gillon an d Robert Wallan
Co-leade rs, Insurance Re covery & Adv isory
Don’t Wait Until It’s Too Late:
Top Ten Recommendations For
Negotiating Your Cyber Insurance Policy 1
Indemnity And Insurance Provisions
in Construction Contracts 3
FCA Threats Are Likely Greatest
Outside The Fortune 100 5
Time Element Extensions:
An Important Endorsement To Commercial
Property Insurance Policies 7
Are You Covered For A Superstorm? 8
Maximizing The Return On Your D&O
Insurance For Merger Objection Lawsuits 9
Don’t Trust, Verify:
What Every Business Needs To Know
About Certificates Of Insurance 10
Florida Appeals Court Overturns Notice/
Prejudice Ruling Against Policyholder 11
Earthquakes Are Spreading –
Is Your Insurance Program Ready? 15
ARTICLE HIGHLIGHTS
2
| Summer 2015
Pillsbury Winthrop Shaw Pittman LLP
1. Buy Only What You Need
Many cyber policies provide an “à la carte”
arrangement that includes the option to
purchase seven basic coverages. Three
of those coverages involve third-party
losses: (i) Privacy Notification and Crisis
Management Expense; (ii) Regulatory
Defense and Penalties; and (iii) Information
Security and Privacy Liability. Two
involve first-party losses through what are
commonly referred to as “time element”
coverages: (i) Business Interruption and (ii)
Extra Expense. The other two, also first-
party related, provide “theft of property”
coverages: (i) Data Assets and (ii) Cyber
Extortion.
With all the bells and whistles now oered
by some insurers, consider the specific
risks against which you wish to insure, and
whether you really need all of the coverages
being oered. Always include notification
and crisis management expense coverage,
as well as regulatory defense coverage.
Time element coverage is also important,
especially for small businesses, as lack of
income for even a short period may be
disastrous.
If an insurer is unwilling to remove an
objectionable exclusion or limitation from
its policy, then ask your broker to get bids
from other insurers. The cyber insurance
market is highly competitive, with many
insurers currently focused on building
market share. This means that one might
be willing to provide coverage or terms that
another will not.
2. Carefully Vet the
Limits of Liability
One of the most important issues in
negotiating cyber coverage is determining
the appropriate limits of liability. The
costs of responding to a data breach
can be substantial. In 2014, the average
organizational cost of a data breach was
approximately $5.8 million. Response
costs for breaches involving the loss
or theft of personal data were as much
as $950 per electronic record. To put
that number in context, a data breach
involving just 25,000 records—a below-
average total—would exhaust a $5 million
policy. And if plaintis in a class-action
suit obtained a judgment under a state
statute that imposes $1,000 in damages for
each claimant, the judgment alone could
consume $25 million of insurance policy
limits. Because cyber insurance is relatively
inexpensive, you should choose limits of
liability in line with your total potential
liability exposure in the event of a breach.
Your broker should be able to assist you in
determining appropriate limits by utilizing
its benchmarking databases.
Most cyber policies impose sublimits
on some coverages, such as for crisis
management expenses, notification costs or
regulatory investigations. These sublimits
are not always obvious, and they are often
inadequate. They should be scrutinized
carefully and set realistically. Also make
sure that the policy’s aggregate limit
applicable to all coverages is not less than
the total of all sublimits.
3. Obtain Retroactive Coverage
Many cyber policies limit coverage to
breaches that occur after a specified
“retroactive date.” In some, this date is the
same as the policy’s inception date. This
means there may be no coverage provided
for claims made due to breaches that
occurred before the policy period, even if
the insured did not know about the breach
when it bought the policy.
Because breaches may go undiscovered for
some time before claims are made, insureds
should always ask for a retroactive date that
is earlier than the inception date. This will
ensure that the coverage includes unknown
breaches that first occur prior to the policy’s
inception, but do not manifest themselves
until after that date. Insurers do not always
oer retroactive coverage unless asked, but
it is commonly available for periods of one,
two, five or ten years. Some oer unlimited
retroactive coverage.
4. Beware of Broadly
Worded Exclusions
It is not uncommon to find cyber insurance
provisions that contradict the insured’s
basic purpose in buying the coverage.
Sometimes these provisions have been cut
from other insurance policy forms and
pasted into cyber insurance forms where
they do not belong. For example, some
policies broadly exclude coverage for any
liability arising from a breach of contract.
Many insureds collect and store confidential
information from customers, patients or
business partners pursuant to contracts that
require them to maintain the confidentiality
of the information. They buy cyber
insurance precisely to protect them in case a
privacy breach gives rise to damages claims
under such confidentiality agreements.
Many insurers, if asked, are willing to
modify exclusions to make it clear that they
will not bar coverage for claims that go
to the core of an insured’s business. This
is just one of many examples of broadly
worded exclusions that need to be reviewed
carefully and narrowed to make sure
that they will not defeat the reasonable
expectations of the insured in buying cyber
insurance.
5. Beware of Panel and
Consent Provisions
Many cyber policies require that any
investigators, consultants or attorneys
used by the insured to respond to a claim
or potential claim be drawn from a list of
professionals that have been pre-approved
by the insurer. If you would like your
preferred consultants and attorneys to be
involved in the event of a loss because they
already know your business operations, it is
a good idea to ask to add these professionals
to the insurer’s pre-approved list during the
underwriting process.
Cyber policies also often contain consent
provisions stating that the insured must
obtain the insurer’s consent before
incurring any expenses to notify customers
or patients of a data breach, conduct
forensic investigations or defend against
third-party claims. Such prior consent
Don’t Wait Until It’s Too Late:
Top Ten Recommendations…
(cont. on page 12)
