A typical regulatory insuring clause will provide coverage for:
“….Claim expenses and regulatory damages that an insured incurs responding to any regulatory proceeding first made against the insured and reported during the policy period resulting from a privacy or security wrongful act…”.
Like all professional and management liability policies, cyber insurance policies lack any form of standardization and are mazes of very specific verbiage requiring careful navigation in order to arrive at a proper translation. Many of the details lie in the definitions (as bolded above). agreements pulled from policy specimens from some of the largest insurers yielded considerable verbiage differences with vast coverage implications. It is important that organizations engage in a dialogue with their brokers to understand those definitions and the extent of coverage afforded. Some of the more important items of review include:
- Ensure “wrongful acts” are not limited solely to “a breach of privacy laws” or “failure to notify of a data breach incident,” those are just two of many wrongful acts that should be included. In addition, acts of rogue employees and service providers should also be included.
- With many enforcement actions name principals/executives, it is important to ensure the definition of “insured” is inclusive of the entity, any domestic/foreign subsidiaries (if intended) and all CISO’s, CTO’s, foreign equivalents and any other parties for whom coverage is intended.
- With defense costs accounting for a large portion of the damages sustained and fines expected to increase, organizations should carefully review the definition of “claim expenses” and “regulatory damages” to ensure the defense coverage is sufficient and that the policy affirmatively provides coverage for fines and penalties.
- Ensure the policy does not limit “privacy events” solely to theft or unauthorized access of PII (personally identifiable information). PHI (health information) and CCI (corporate confidential information) should also be included.
- Buyers should seek trigger language that allows coverage at the earliest stage of an investigation or action. Cyber insurance policies should allow coverage to be triggered by requests for information, investigative demands and regulatory proceedings – any policies that require a “formal suit” should be avoided.
- Ensure the definition of “computer systems” is not limited to leased/owned computers or those solely in control of the organization. Computers in the care/custody of service providers should also be included.
The cyber security environment is fast moving and companies need to be both proactive, reactive, and a bit creative when it comes to managing that risk. Organizations should also maintain a wide peripheral view in order to understand the sources of security incidents (and available remedies). While the potential for regulatory enforcement actions are always possible, often, simply implementing strong controls, ensuring transparency and employing a common-sense approach when reacting to security breaches, can significantly minimize the likelihood that the regulators will come knocking.
Sign up for CIO Asia eNewsletters.