PROGRAM RECAP: Our first NACD-NJ webinar yielded many insights on covering cyber-risk. After setting the stage on the nature of the threats, the vectors for breaches and the potential impacts, our panel discussed the magnitude of losses that companies can and have experienced as well as best practices that can assist companies not only in mitigating risk, but in obtaining coverage. Among the highlights: While no company is immune from a breach, the three industries with the greatest risk are: professional services, financial services and retail.
The cost of a breach runs about 20% higher if the cloud is involved.
About 10% of losses occur with respect to breaches involving paper documents—cyber-insurance can extend to these kinds of losses.
There are multiple sources of coverage that potentially can cover cyber-risk, however they are very dependent on the circumstances of the loss, and insurance companies will strive not to cover a loss under multiple policies.
General Liability Insurance has had mixed applicability to cyber-risk, with some insurers resisting coverage successfully. More recently, General Liability policies have included loss of electronic data within property damage. But even where coverage exists, there is likely to be a sub-limit under this type of policy for data breach type losses.
Crime Insurance can come into play where funds have been stolen through computer fraud or employee malfeasance. However, it typically has excluded loss due to social engineering, although this trend is changing. Even if covered, low sub-limits may make this coverage of minimal value.
Crime insurance can cover threats from internal sources, but coverage may depend on the nature of the act, i.e., whether it is malicious or inadvertent. Look at policies carefully to avoid this gap in coverage.
Indemnification by Vendors should be included in sources of coverage. But while vendors may carry insurance—and you will want to know about their coverage—if a vendor has suffered a breach affecting multiple customers, it may be unable to fully indemnify all of those affected.
Cyber-insurance is relatively new, and while the coverage can be expansive, there may also be important gaps in coverage.
While there is no “typical” policy, both first and third party exposures are usually included. The majority of claims are for the company’s own losses (first party) but claims for damages by third parties often involve larger dollar amounts.
First party claims can include, e.g., business interruption, extortion (“ransomware”), investigation of the breach, notification and credit monitoring to affected parties, and crisis management. If a breach occurs, boards should ask whether the company will be covered for expenses where it does not use the panel of experts approved by the insurance company, e.g., it relies on internal resources, as the latter may erode the amount available for coverage.
Previously, prior acts exclusions cast doubt on whether a loss resulting from an intrusion that had existed undetected in IT systems for months or years would be covered. It is now possible to obtain coverage in these circumstances.
Availability of coverage has also improved with respect to breaches involving use of a cloud provider as well as software updates.
There are over 40 carriers currently writing cyber-risk insurance and the market is highly competitive. Costs vary widely based on the size of the company and other factors, such as whether a company has a history of having been targeted for breaches.
Although market conditions continue to improve, a program is more easily built if the applicant can demonstrate a Best-in-Class Information Security program and a Company-wide Commitment to Managing Cyber Risk.
Companies should explore the available options, terms and pricing. Cyber-insurance is not “off the shelf;” insurers are still learning; and many are willing to do more negotiating than in the past.
Understand your risks and determine what coverage you need:
Boards should insist on having this conversation—even if the IT department is doing a good job on cybersecurity
Boards and companies can benefit from outside guidance, such as a broker
Carefully review the cyber policy: - All coverage grants - All definitions (may narrowly define terms) - All exclusions - All conditions
Evaluate your whole program of insurance, including General Liability, Crime, Errors & Omissions, Cyber, etc.
Lou Chiafullo In-House Counsel Acres Land Title Agency, Inc.
Lou Chiafullo is In-House Counsel at Acres Land Title Agency, Inc. Previously he was a Partner at McCarter & English, LLP, where for 20 years his practice involved complex litigation, with an emphasis on insurance coverage disputes on behalf of policyholders. Lou has handled actions in state and federal court in New Jersey and other jurisdictions, has arbitrated complex insurance disputes, and often counseled policyholders on a wide variety of general and insurance-related matters.
Steve Weisman Partner McCarter & English
Steven Weisman is a Partner in McCarter & English’s Insurance Coverage Practice Group. He has a national commercial litigation and counseling practice, representing corporate policyholders in all types of insurance-related matters including complex coverage disputes and premium disputes in state and federal courts throughout the United States. Steven advises his clients on and litigates a broad range of insurance issues concerning an array of underlying liabilities and first-party losses under a wide variety of insurance policies, including general liability insurance, directors’ and officers’ insurance, management liability insurance, cyber risk insurance, errors and omissions insurance, advertising injury and media liability insurance, employment practices liability insurance, and first party property insurance. Steven frequently conducts insurance program reviews for his clients and negotiates policy language with insurance underwriters on behalf of his clients. His guidance also extends to counseling clients on and litigating premium disputes, including retrospective premium disputes.
Steven is a founding member of McCarter & English’s Cybersecurity Data Privacy Task Force and is a frequent speaker on cyber risk insurance issues.
Vincent G. Caracciolo Managing Director of Claims & Coverage Advocacy EPIC Insurance Brokers
Vincent Caracciolo is the Managing Director of Claims and Coverage Advocacy with EPIC Insurance Brokers & Consultants. He provides coverage, brokerage and claims advocacy services to the firm’s clients focusing on the Directors & Officers Liability, Errors & Omissions, Fidelity, Fiduciary, Private Equity, Financial Institutions, Employment Practices Liability and Cyber/Privacy Liability lines of business. Vincent's experience has spanned that of a practicing attorney, a professional liability insurance underwriter, claims professional, an insurance company executive, and an insurance broker. His prior legal experience includes corporate transaction, banking, securities and litigation practices, as well as insurance coverage counsel work for major insurance companies. His insurance company experience includes E&O and transactional liability underwriting, Management Liability underwriting counsel, policy/endorsement analysis and drafting, and management of a US and Global Specialty Casualty Claims division.
Vincent is a speaker and author at/for Insurance and Legal Industry conferences and publications (PLUS, PLI, ACI, Corporate Directors Group, Private Equity and Hedge Fund associations, and NYC Bar Association Continuing Legal Education).