Tremors from two recent cyber breaches are still reverberating in the corner offices of companies and insurance underwriters alike.
Gold on Identifying Exposures
Yet even companies that haven’t experienced a hack on their proprietary systems can be held liable for a cyber attack on their cloud providers. Before companies negotiate renewals of their liability insurance policies, it’s important for CFOs and risk managers “to understand how your company manages and hosts data,” says Joshua Gold, who chairs the cyber insurance recovery group at Anderson Kill, a law firm that represents corporate policyholders.
In particular, finance chiefs need to know whether their companies use cloud computing. “If you do, you want to make sure that whatever policy you’re looking at is going to respond [when] the breach may not be on your end but on the cloud vendor’s end,” Gold said.
That means that insurers using the widely deployed ISO forms could more easily “bar coverage for privacy claims” and claims of property damage stemming from a data breach on the new policies they offer, says Gold.
The Sony case underlines a big reason that CGL insurers may have grown so wary of underwriting cyber liability: Many cases morph into class-action lawsuits. Even though most suits haven’t resulted in big judgments or settlements, the costs of attempting to get a case dismissed or designated for summary judgment can be huge, Gold says.
Gold on Stand-alone Policies
Enter the stand-alone cyber insurance policy. “Underwriters, like everyone else, see the frightening headlines on one breach after the next, and want to limit or eliminate coverage on their existing standard policies,” observes Gold, and see “if they can’t force you to buy this different coverage.”
Gold agrees. Noting that the market for such policies is quite competitive these days, he adds that buyers “can request specific coverage and get [their] coverage needs fulfilled.” But companies will require a sharp-eyed broker to do that, the policyholder attorney contends. Because stand-alone policies are so customized, “you need to have the expertise to wade through 40 pages of mind-numbing policy language to figure out what’s covered and what’s not.”
Read the full story: The Cyber Liability Shell Game