With insurers phasing out coverage for data breaches and other cyber-related risks from traditional policies, policyholders are increasingly turning to specialty cyber insurance products to protect themselves. However, standalone cyber insurance policies offer widely varied coverage, and the market is still a veritable “Wild West,” according to attorneys.
Here, attorneys share tips for insureds to get the most out of specialty cyber policies.
Know Your Limits and Sublimits
Purchasing a cyber policy with adequate limits and sublimits is crucial for policyholders to shield themselves against the full range of cyber risks, attorneys say.
“Do not get comfortable with only a policy’s aggregate limits,” said Sherilyn Pastor, the practice group leader for McCarter & English LLP’s insurance coverage group. “Negotiate sublimits and co-insurance amounts, particularly those related to notification costs and crisis management expenses, so your business has the coverage it needs for risks specific to it.”
Cyber policies can be “chock full” of sublimits for certain types of events or types of losses, Pastor said. A policy may include lower sublimits for costs associated with the initial response to a data breach — such as forensic analysis, notification letters and public relations — and a higher sublimit for costs tied to ensuing class action litigation, according to attorneys.
Negotiate, Negotiate, Negotiate
Policyholders should also beware policy conditions that are “vague and subjective,” such as requirements for maintaining “reasonable” data security measures, Pastor said.
“What is viewed as ‘reasonable’ at the time an insurance policy is placed may be later challenged with the benefit of 20/20 hindsight and as technology becomes obsolete,” she said.
Make It Retroactive
Companies should negotiate for favorable retroactive dates to ensure that a cyber policy covers losses arising from undiscovered breaches that occurred prior to a policy’s purchase, Pastor said. Carriers will offer retroactive coverage for claims made during the policy period for incidents that occurred one, two, five or 10 years before the policy was placed, she noted.
In addition, because hackers can strike from anywhere in the world, companies should ensure that a cyber policy’s coverage territory is universal, according to attorneys.
“If your policy’s coverage territory is limited, you could find yourself without coverage if a hacker carries out an attack from some remote location, or the breach happens while using Wi-Fi on an airplane,” Pastor said.