June 24, 2018

June 22, 2018

Subscribe to Latest Legal News and Analysis

Cyber Liability Insurance: Where’s the Beef?

“Cyber liability insurance” is often used to describe a range of insurance policies, in the same way that the word cyber is used to describe a broad range of information security related tools, processes and services. Everyone is talking about the need for “stand alone” cyber liability insurance policies. These stand-alone cyber liability insurance policies basically cover expenses related to the management of a breach, e.g, the investigation, remediation, notification and credit checking. However, cyber liability coverage is also found in some existing insurance policies, including kidnap and ransom and professional liability coverage.  There may also be some limited coverage through a crime policy if electronic theft is added to that policy.

Despite the fact that there are many kinds of insurance policies available that arguably cover various “parts” of cyber risk, the parts that are not covered are significant.  The problem is, very few insurance professionals really understand cyber risk or cyber liability insurance.  This means that companies that are buying “stand alone” cyber liability coverage are often presented with the wrong information about the scope of coverage provided in a particular policy.  I recently worked with a client who was told by the insurance underwriter that their stand-alone cyber policy covered theft of money and securities.  This was not true.  Coverage was limited to the theft of personal identifiable information and money and securities was specifically excluded.  Last month I was at a roundtable discussion with a group of directors when a broker suggested that a stand-alone cyber liability policy would cover the board of directors in the event there was a derivative suit.  Again, this isn’t true.

What does this mean for a board of directors or a company that is worried about their cyber exposure?  First of all, they should understand that “stand alone” cyber liability insurance policies provide important but limited coverage. What it means is that a stand-alone cyber coverage isn’t a silver bullet that solves cyber risk.  Like Clara, they need to be asking “where’s the beef?” 

Cyber liability is a very complex risk that doesn’t neatly fall into any one insurance policy, and there are shortfalls in coverage everywhere.  When a board of directors is faced with a derivative suit for failure to oversee the protection of customer information, there is a risk that their directors & officers insurance coverage will not cover the lawsuit because there is a standard privacy exclusion in all directors and officers insurance policies that is often overly broad. Even if a separate cyber liability policy was purchased, that separate “stand alone” cyber liability insurance policy will not cover the board of directors, because a stand-alone cyber policy doesn’t cover derivative suits.  So, where does that leave the board of directors?  Exposed.  Similarly, while the separate “stand alone” cyber liability insurance policies cover privacy breaches, those breaches typically must be the theft of “personally identifiable information”.  However, what about the theft of a hedge fund’s trading information?  Uncovered.

So, what should a board of directors or company do that is worried about insuring for cyber risk?  Ask detailed questions about what is covered and can be covered.  Where is the beef?  Ask that question more than once. Read all your insurance policies and ask exactly where the policy provision is that covers a particular risk.  Take the time to understand where the gaps in coverage are and, to the extent possible, work to close those gaps in protection.  Also, keep in mind that insurance is only one tool to help you manage risk, but isn’t the sole answer.

©1994-2018 Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C. All Rights Reserved.


About this Author

Heidi Lawson, Corporate Governance, Attorney, Mintz Levin, Law Firm

Heidi is an internationally recognized lawyer with extensive experience in corporate governance, bribery and corruption, compliance and internal investigations, indemnification, and directors and officers and fund management insurance in both the corporate and litigation context. She advises companies, brokers, private equity firms, hedge funds, family offices, investment banks and other investment advisors, and their senior executives on identifying risks, and protecting against those risks. Heidi’s practice is international in nature, including a strong focus on emerging markets.

daniel harary, attorney, professional liability, corporate law, mintz levin law

Daniel focuses his practice on business disputes with a concentration on corporate and professional liability. He has experience in litigation and mediation involving insurance, commercial and employment matters for diverse domestic and international clients. In complex coverage matters, Danny evaluates parties’ rights, duties and obligations under sophisticated insurance policies in individual and class action cases involving alleged violations of securities laws, wage and employment laws, the False Claims Act, and consumer protection laws. Additionally, he has experience in matters involving commercial contract, cyber media, intellectual property and bankruptcy disputes.