Tips for Recovering Insurance for Your Cyber Losses

Cyber attacks against U.S. businesses have been on the rise for years.  They take numerous forms and lead to a growing breadth of loss types. Cyber insurance policies have become a staple in corporate insurance portfolios.  They come in many forms and set forth varying degrees of coverage.  The growth of cyber risks provides ample bases for management to take the time to understand what recovery from a cyber attack will look like for their company.  A large part of such recovery likely will be insurance proceeds, under a cyber insurance policy or other policy.

While differing from one insurance company to the next, cyber insurance policies largely fall into two categories:  stand-alone cyber policies with both first- and third-party liability losses covered; and “Tech/E&O”[1] liability policies that cover liability from a cyber incident.  A number of steps can help policyholders to pursue a successful claim path under their cyber insurance policy.  The following tips can help avoid pitfalls and help policyholders stay on the path to making a full recovery. 

Beware of buzzwords.  Many policyholders want to identify the type of attack they suffered and jump to using buzzwords and artificial labels.  Putting aside whether the policyholders know what the buzzwords, such as “spoofing,” actually mean, they cannot know right away the fact of what happened.  Like any loss, some investigation is needed to determine what happened that led to what may come to light because of a set of wire instructions to a threat actor’s bank account, fake bank instructions or stolen data. 

Cyber policies often contain a number of coverage parts.  Those can include investigation costs, response costs, notification costs, and losses from a cyber incident.  That latter category is often subject to sublimits, such as for “social engineering” or “phishing” incidents that lead to stolen funds.  Some policies with limits as high as $10 million, have sublimits in these categories as $250,000.  Policyholders do not want to start out their claim process by mislabeling and incident in a manner that permits the insurance company to argue that the policyholder admitted a sublimit applies to the entire loss.  Most cyber incidents are not that simple. 

Provide Notice.  Cyber policies have notice provisions, often requiring that notice of an incident be provided as soon as practicable.  Such provisions can be vague and may be intertwined with other provisions that set forth which persons need to have knowledge of an incident for it to be “known.”  Working through such provisions can be more complicated than policyholders expect. In many instances, it is appropriate to provide notice to the insurance companies, which may consist of a tower of cyber insurance companies that issued primary and excess policies. Policyholders need not have all of the facts and details of an incident or the loss from an incident.  Notice typically is a short and concise statement. Insurance brokers usually help policyholders to 

Document and Communicate.  Each step of the recovery from a cyber breach, whether a ransomware attack, wire interception or brute force hack, can form a basis to support loss covered under a policy.  Policyholders typically help themselves by documenting these steps and documenting their communications with their insurance companies.  Communicating with the insurance companies throughout the process of responding to a cyber incident keeps the insurance companies engaged and eliminates many would-be reasons for delaying or denying coverage—such as claiming they do not have enough information to provide consent for necessary expenses like the analysis of compromised documents to determine what reporting and notification costs are needed.  Avoiding such delays over technical issues like consent can avoid the ripple effect of slowing down an entire recovery.

Track Costs and Losses.  Documenting dollars and cents also is important.  Larger policyholder companies may need to open internal tracking accounts to which expenses across the company, including legal, IT and vendor costs can be tracked.  Early organization of costs and losses can lead to much smoother recovery of full expenses from insurance companies, as they often will ask for explanations of certain costs and expenses.  Additionally, policyholders can typically improve their claim value by tracking the interruption to their ordinary business operations caused by a cyber incident. Interruptions with websites that are consumer facing, internal data sets needed to perform services and operational software that, when not fully functional, inhibits certain business operations are all examples of interruptions that are covered under many cyber policies. 

Be Aware of Exclusions.  Fraud, deliberate criminal acts and similar conduct can be excluded in cyber policies, just as in other types of policies.  Such exclusions are cited by insurance companies when allegations of dishonest, fraudulent or criminal conduct are raised in investigations or claims by third parties.  Regulators frequently follow cyber incidents, especially when they have consumer effects or involve privacy rights, and sometimes investigate for potential fraudulent or criminal activity.  However, many exclusions only apply after a final, non-appealable determination of willful or deliberate conduct.  Others also carve out coverage for defense costs, which can apply to regulatory investigations. 

Other key exclusions can apply to so-called improvements and betterments to computer systems. Essentially, insurance companies sometimes take the position that the response effort to restore a computer system after an incident included improvements or betterments to the system. In many cases, the cyber policy state that the coverage does not apply to improvements, only restoration.  The application of the language can be very complex where fast changing technology means that restoration is necessarily with new or different equipment, software or data sets.

Another exclusion that has garnered much attention recently is the war exclusion.  For decades property policies contained language excluding loss resulting from war and cyber policies coopted such exclusions. But Lloyd’s recently issued requirements for exclusions applying to cyber events purportedly initiated or sponsored by nation states.  The exclusions are new and relatively untested.  However, they could lead to difficulty in claims for policyholders large and small if they are victims of ransomware or other malware that is attributed to a state actor.  Policyholders should be ready to 

Consider other insurance policies. If your company suffers a cyber incident, consider your entire insurance portfolio for potential coverage.  Other policies in your insurance portfolio may include commercial general liability (CGL), directors and officers liability (“D&O”), E&O, media liability, crime/fidelity, kidnap and ransom (“K&R”), or property coverage.  Any of these may provide coverage that responds to a part of the loss from a cyber incident.  Indeed, most of the case law over coverage for cyber incidents concerns these “non-cyber” policies.  Some may contain cyber-specific coverage, such as extensions for coverage of data loss, computer or security related incidents, or privacy violations. 

                  *                                              *                                            *

Policyholders, whether large or small businesses, should be prepared to lead the claim process, martial the facts and argue for the coverage to which they are entitled.  Many insurance companies and their cyber professionals may be looking to pigeonhole claims into their view of a common incident, but policyholders benefit from identifying the specific facts and losses from their incident that establish coverage. Waiting for insurance companies to respond and waiting until the dust settles on a cyber-related recovery can be costly and result in less than maximum recovery.   

[1] “E&O” refers to errors and omissions liability insurance policies that historically cover claims based on allegations of covered wrongful acts undertaken while performing professional services.