With almost every passing day, it seems that a new variety of cyber peril fills our collective risk management consciousness. The hospitality industry has already experienced more than its fair share of cyber problems. Stolen guest data, regulatory actions, and litigation aimed at senior management are just a few of the cyber perils faced by the industry.
This reality underscores the need for reliable cyber insurance protection. But just how reliable is the cyber insurance currently being sold?
Most cyber insurance policy forms are confusing and untested. There are dozens of different insurance policies to choose from. Few are clear about what they actually cover.
Disputes between policyholders and their insurance companies are starting to emerge. In the hospitality realm, a prime example is a recent lawsuit involving a cyber insurance company that is attempting to limit its payment for a computer hack suffered by a hotel policyholder. The dispute is not only over the amount of insurance coverage, but also whether the insurance company can compel arbitration.
Given the lack of uniformity of product in the cyber insurance marketplace, comparison shopping is important — and difficult. Below are issues to keep an eye on and strategies to employ.
Keep up with the Risks
The pace of technological change is dizzying -- and the benefits created by virtually every new development also generate new risks. Remote computer access can also mean access for unauthorized users; higher capacity thumb drives mean more files compromised should the device be lost or stolen.
The so-called "Internet of things" -- appliances, vehicles, buildings and other objects sending and receiving data -- is fertile ground for new cyber risks. Hotels are potentially exposed by the network connectivity of elevators, escalators, in-room smart televisions, HVAC systems, coffee makers, alarm and entertainment systems, among other things.
Issues of bodily injury, property damage and invasion of privacy are implicated by introducing computer connectivity and chip reliance into such devices. When this exposure is matched up with insurance coverage, the picture gets complicated. Many policyholders look to their CGL insurance policies to protect against claims alleging bodily injury, property damage and invasion of privacy claims. But increasingly, policyholders are finding exclusions for cyber-related claims included in their CGL policy purchases and renewals, apparently with the underwriting intent to bounce such claims over to cyber-specific insurance products. But some cyber polices have exclusions for bodily injury and property damage claims.
Thus, without careful planning, some policyholders face a potential whipsaw and, at a minimum, a complicated and expensive insurance coverage litigation to secure their insurance protection. Other insurance problems abound.
Attention Needed in Purchase and Renewal
Often the most critical decisions impacting coverage for cyber-related losses will be made long before a claim or loss ever arises. Thorough analysis and consideration of the right insurance policy or policies must be undertaken before renewal or purchase. Whether newly purchasing or renewing specialty cyber insurance policies, policyholders should work with a very good and experienced broker. With no uniform insurance policy presently in the cyber insurance marketplace, key policy terms and language can vary greatly between policies and, in some cases, are open for negotiation. An experienced broker can help even the most sophisticated policyholders assess their needs and purchase the most appropriate coverage.
Policyholders must pay increased attention when completing insurance applications. All too often an insurance application response is later used against policyholders to contest insurance claims -- and the uncharted waters of cyber-related coverage jurisprudence make it increasingly likely that insurance companies will continue to do so in this area.
Avoid Vague Terms and Conditions
It is critical for policyholders to avoid cyber insurance policy terms that condition coverage on the policyholder having employed “reasonable” data security measures. These types of clauses and policy language are so vague and subjective that they are bound to lead to coverage disputes. Examples of such lawsuits already exist.
For example, in the 2015 case Columbia Casualty Co. v. Cottage Health System, the insurance company filed a lawsuit in California federal court against its policyholder, Cottage Health System, after the policyholder had suffered a breach of patient data that gave rise to a third-party lawsuit. Although the underlying suit against the policyholder ended with a settlement, the insurance company sought to deny coverage. Relying on policy language about the manner in which the policyholder protected its data, the insurance company sought to disclaim coverage due to the policyholder’s alleged lax computer security, which the insurance company said violated the cyber insurance policy conditions.
Although the California trial court dismissed the insurance company’s action for failing to engage in a contractually mandated alternative dispute resolution process, the dismissal was made without prejudice, and the dispute may make its way back to a trial. Regardless, this litigation demonstrates that where coverage is “conditioned” on the robustness of computer security measures, disputes are likely to ensue.
Mind Your D’s & O’s
Given the proliferation in cyber-related risks, and an expected increase in shareholder suits arising out of data breaches against directors and officers, D&O underwriters will likely be focusing more and more on computer and data risks. Consequently, additional attention must go into reviewing all D&O insurance policy terms and endorsements at inception and renewal. This includes terms and endorsements contained in the primary, excess layers, and Side A insurance policy forms.
Some insurance companies may ultimately attempt to insert exclusions into D&O policies as they do into other insurance policies. Many of these terms are vague and destined to lead to disagreements over their effect on the scope of insurance coverage for a cyber-related claim.
Provide Notice to All Insurance Companies Potentially Providing Insurance Coverage
Finally, provide notice to your insurance companies quickly after a breach in order to avoid disruptive, unnecessary arguments regarding the timeliness of notice. Every minute counts following a breach, and never has the phrase “time is money” rung more true, as you undoubtedly will incur costs quickly for computer forensics, attorneys and other consultants. Providing proper notices and advising promptly of costs incurred to respond to the incident can increase the odds of recovering these costs from your insurance companies.
In the area of cyber, it is more important than ever to be a smart purchaser of these specialty insurance products. The underlying risks of cyber security are real and the insurance marketplace is in tremendous flux. With this context in mind, protect yourself with solid insurance coverage and preserve those rights smartly in the event you need to call on your insurance to respond to losses and claims.