This article is the fourth and final part of a four-part series on cyberinsurance. Part one addressed the need for cyberinsurance. Part two discussed how to assess your company’s cyber exposure and select the right coverage. Part three covered the complex cyberinsurance application process. This part completes the series with advice on how to manage a cyberinsurance claim to maximize your company’s insurance recovery. You can find the full series here.
Make no mistake, insurance is an asset. Your company purchases insurance to provide financial stability and access to funding to respond to loss or a claim. Cyberinsurance is no different. With any insurance policy, however, accessing your coverage is not always as straight forward as it should be. From complicated coverage triggers to unforgiving notice requirements and confounding exclusions, there are many potential obstacles to a full recovery for any loss or claim. While some claims and losses may fall outside of the coverage you elected to purchase, you can ensure that claims and losses that ought to be covered are more likely to be covered by familiarizing yourself with your insurance policy's requirements and complying with the terms and conditions of your policy when submitting a claim.
Before an incident
There are several steps you can take now that will make sure your company is in a good position to maximize its insurance recovery in the event of a cyber incident:
- Negotiate with your insurance carrier to get preferred vendors (attorneys, forensic investigators, crisis-response managers, breach-notice providers, etc.) pre-approved by your insurer. This will minimize delays in reimbursement for these services in the event of a claim.
- Ensure that your incident response plan includes summaries of available insurance coverage and notice requirements.
- Review your insurance application to make sure that the information provided to your insurer accurately reflects current privacy and security practices.
- Familiarize yourself with the various coverage triggers under your policy.
After an incident
If you have a cybersecurity incident, be it a ransomware event, a DDOS attack, or a potential breach, after the immediate response procedures have been followed, you should take a moment to consider whether the particular incident is covered under your cyberinsurance policy. Quickly evaluating available insurance coverage is important because, depending on your legal jurisdiction, you may have substantial notice obligations that could bar recovery if not followed to the letter.
First, do you have a covered event?
Your cyberinsurance policy likely provides coverage for first- and third-party incidents. Covered events are defined separately depending on whether the incident is a first- or third-party claim.
First-party coverage insures direct losses and out-of-pocket expense incurred by your company. Coverages include: business interruption and extra expenses; data asset protection; event management, and cyber extortion. These coverages are triggered by an “occurrence,” which will likely be defined by your insurance policy. “Occurrence” is typically defined in terms of a network or cyber-related impairment, exploit, electronic theft, or extortion attempt.
Third-party coverage insures defense and liability incurred by your company due to harm allegedly caused to others by your actions. Coverages include: privacy liability claims, network-security liability claims; and privacy-regulation defense costs. These coverages are triggered by a “claim,” which will likely be defined by your insurance policy. “Claim” is typically defined in terms of a “written demand for monetary damages or non-monetary relief (including demand for injunctive or declaratory relief).” Typically, the definition of a “claim” will exclude regulatory proceedings, unless those proceeding are specifically related to privacy regulations or concerns. Some insurance policies may also include subpoenas and investigative demands in the definition of a claim.
Analyzing whether an incident is a “claim” or an “occurrence” under your policy is a fact-specific inquiry. In most cases, the claim and/or occurrence analysis will be straight forward, but in some instances a more detailed analysis may be required.
If you determine that coverage has been triggered under the policy, you should next review the policy’s terms and conditions and exclusions to ensure that coverage for your claim or occurrence is not excluded or limited. It is necessary to identify potential coverage pitfalls early in your review of the incident so that your initial presentation of the claim or occurrence does not inadvertently present an otherwise-covered loss as potentially excluded or limited by the policy. Coverage counsel, whether in-house or outside counsel, can assist with this process.
Second, what are your notice obligations?
If you determine that a claim or an occurrence exists under the policy, you will have an obligation to provide notice of the claim or the occurrence to your insurer. Notice provisions vary from insurer to insurer, so make sure to review your policy and comply with the notice obligations to the letter. Notice provisions are also different depending on whether you are providing notice of an occurrence or notice of a claim, so pay attention to any differences.
Depending on your jurisdiction, failure to provide notice as specified in the policy can cause you to lose coverage for an otherwise covered loss. In some instances, claims have been denied for mistakes as simple as omitting a required document or sending the notice to the wrong department at the insurance company.
Your policy will specify: (1) who to send the notice to (usually the claims department); (2) what to include in your notice (information, copies of documents, etc.); (3) when your notice must be sent (usually a specified period of days or “as soon as practicable”); (4) where the notice must be sent (a specific address), and (5) how the notice must be sent (email, first-class mail, etc.). Make sure that you follow these instructions to the letter to minimize any potential problems done the line.
Additionally, if you determine that you have an “occurrence” under the policy, you may have the opportunity to provide notice of “circumstances that may lead to a claim,” which is the option to provide notice of a future, expected claim under your current policy to make sure that there is coverage under that policy. In most cases, the decision to provide notice of circumstances is discretionary, but this is not always the case, so make sure to review the notice of circumstances language in your policy when providing notice of an occurrence. If notice of circumstances is discretionary, you should consider the financial impact of “locking in” coverage under the current policy. This decision can be complicated, so you should consult with counsel and key decision makers in your company before making a final decision.
Finally, if you have applicable excess or umbrella insurance, make sure that you are aware of when notice obligations are triggered under those policies.
After providing notice
Once you have provided notice, you still have a duty to cooperate as defined by your policy, so make sure to carefully and promptly respond to additional requests for information from your insurance company. Your duty to cooperate is not boundless, however, so make sure to check the policy to understand the scope of your duties.
Your policy may also have requirements to seek consent from the insurer before retaining professionals. Usually this consent cannot be unreasonably withheld, but to minimize issues, it is best to seek consent prior to retaining professionals, especially if you have not negotiated with your insurer to pre-select the necessary vendors.
Taking these steps to prepare your company for a cyber incident, quickly evaluate coverage, and comply with notice obligations will reduce the risk that an otherwise covered cyber incident will be denied. Preserving your insurance coverage in this way can help your company maximize its return on available insurance assets in the event of a cyber incident.
If you want to comment on this post, you need to login.