Often called the “wild west,” the cyber insurance marketplace offers a wide variety of policy forms that vary drastically in the scope of coverage provided. This is further compounded by the relatively small amount of case law analyzing cyber policies and the quickly-evolving cyber risks that companies face. Insurers are quick to deny coverage based on the many exclusions in cyber policies, often leaving policyholders with the option of either spending money to fight their insurer in court or accepting the carrier’s denial. If your company is insured by a cyber policy (or, for that matter, any type of an insurance policy), you should carefully review the policy, understand its exclusions, and, where possible, take steps to implement practices and procedures to ensure that your company’s activities do not fall within the enumerated exclusions. Cyber insurers are often willing to modify exclusions in cyber policies to carve back certain coverages, but only when asked to do so. Analyzing the policy and negotiating with the carrier on the front end, before a claim occurs, can save your company both time and money on the back end if a claim arises. Below, we discuss some of the more frequently-invoked cyber policy exclusions that carriers use to deny coverage.
- Security Standards Exclusions: Some cyber policies exclude coverage for claims based upon the insured’s failure to maintain minimum security standards. The phrasing of these exclusions varies widely. Some policies exclude coverage for an insured’s failure to comply with “industry standards,” while other policies contain endorsements specifically listing “Minimum Required Practices” that the insured must follow. Another iteration of this exclusion ties the insured’s obligations to the security procedures identified in their cyber insurance application. Other policies contain hybrid exclusions that combine various portions of the above. Depending on how it is written, this exclusion could potentially preclude coverage for almost every data breach. Policyholders should be careful to accurately complete cyber insurance applications and to confirm that security protocols identified in the applications are in place for the duration of the policy period. Further, if your company’s policy has an iteration of this exclusion, you should request that it be removed or, alternatively, that any ambiguities (like a requirement of compliance with the vague and undefined term “industry standards”) be clarified by the carrier in an endorsement.
- Bodily Injury and Property Damage: Most cyber policies exclude coverage for claims arising out of “bodily injury” and “property damage.” More and more frequently, general liability policies (which would normally provide coverage for these types of claims) also contain exclusions that may apply to certain cyber-related incidents. See, e.g., Insurance Services Office, Inc., Exclusion for Access or Disclosure of Confidential or Personal Information and Data-Related Liability (Form No. CG 21 07 05 14). If a cyber incident at your company could result in bodily injury or property damage, you should ensure that your company’s insurance portfolio contains the appropriate coverages so you are not left uninsured in the event of a claim. In addition, companies should look carefully at the definition of bodily injury in their cyber policies to confirm that coverage for claims of mental anguish, mental injury, shock, emotional distress, and humiliation are carved back, as plaintiffs almost always cite these injuries as damages stemming from a data breach.
- War, Terrorism, Invasion, or Insurrection: Almost all cyber policies exclude coverage for loss from acts of war, terrorism, invasion, and/or insurrection. The exclusions are often written expansively and, given the proliferation of state-sponsored, political, and ideological cyber attacks, could preclude coverage for most security breaches. Many insurers are willing to modify these exclusions to carve out coverage for “cyberterrorism” or “electronic terrorism.”
- Prior Acts: Cyber policies, like almost all insurance policies, exclude coverage for claims based upon wrongful acts that occurred before a certain date (often called the “Retroactive Date”). The Retroactive Date is often the first date that an insurer issued a policy to the insured, meaning that this exclusion is usually not an issue for companies that have renewed their insurance policy with the same carrier for extended periods of time. However, this can create significant issues for companies switching cyber insurers or companies that were previously uninsured in the cyber realm. Cyber breaches can take place over long periods of time and are often discovered by companies long after the breach occurred. See, e.g., Yahoo Data Breach (2013 data theft discovered in 2016). Cyber policies are “claims made and reported” policies, meaning that they will only respond to claims that are made against or discovered by an insured during the policy period. This also means that an insured must provide notice of the claim to its cyber insurer during the policy period for coverage to exist. If you submit a claim under a cyber policy that arises from a breach that occurred prior to the Retroactive Date, your company may be left uninsured for a claim. Companies should be aware of this limitation on coverage. Before changing your cyber carrier, be sure to purchase an extended discovery period, which provides an additional period to report claims that would have been covered by the non-renewed policy. Alternatively, consider obtaining a Retroactive Date that predates the inception of your new policy.
- PCI Fines & Assessments: Almost all cyber policies contain contractual liability exclusions, some of which have been interpreted to exclude coverage for PCI fines and assessments. See, e.g., P.F. Chang’s China Bistro, Inc. v. Fed. Ins. Co., CV-15-01322-PHX-SMM, 2016 WL 3055111 (D. Ariz. May 31, 2016). Other cyber policies expressly exclude coverage for PCI fines and assessments. If your company could be subjected to PCI fines and assessments following a breach, you should carefully review your cyber policy to make sure that it expressly provides coverage for them.
- Laptop Exclusion: Depending on your cyber policy’s exclusions, your company may not be covered for claims based upon an employee’s lost company laptop or other portable electronic device. Some insurers are willing to remove this exclusion altogether. Other carriers may be willing to modify the exclusion to only apply to claims arising from the loss of an unencrypted portable device.
Of course, the above list is not meant to be exhaustive, but is instead intended to be used as a starting point to identify some frequently raised cyber coverage exclusions. Risk managers and cybersecurity personnel should critically evaluate the coverage and exclusions within a company’s cyber insurance policy to ensure that there are no unintended gaps.