Recent major cyber attacks have kickstarted a cyber insurance buying frenzy. However, because cyber insurance coverage is unpredictable on many levels, it is critical that technology customers take meaningful steps to address insurance risks and to contract appropriately with their technology vendors.
Cyber Insurance Challenges
Cyber insurance sounds great on paper but is difficult to implement effectively. Policies notably are not uniform or standard in providing coverage for particular occurrences, parties, or losses. Even within a particular insurance provision, contract language is unpredictable and varies widely across insurers. For example, cyber attacks initiated by state actors may or may not be covered, depending on whether the attack is considered terrorism, an act of war, or a warlike action.
Moreover, insureds and insurers routinely disagree as to the coverage and intent of cyber insurance policies. Litigation involving Mondelez, Payless Shoesource, Alorica, National Bank of Blacksburg, Sony, Target, and SS&C Technologies is just the tip of the iceberg. As for pace, let’s just say that two months ago, Home Depot filed suit against three insurers to seek to obtain coverage under its policies in connection with the massive date breach it suffered seven years ago.
Decision-Making Concerns
Of concern, then, enterprise technology customers frequently base their decision to accept cyber-related contractual indemnities and limitations of liability from their vendors based on the mere fact that the vendors – or the customers – have cyber liability insurance. The customers often accept the risks without evaluating the vendors’ purported policies and without revisiting their own coverages based on the particular technology transaction. Even obligating the vendor to implement reasonable security measures is not enough.
Contractual and Operational Mitigations
The following contractual and operational tips may help enterprise customers identify and mitigate cyber liability insurance related risks under their technology agreements.
- Read your policies. Technology customers should carefully review and evaluate their insurance policies, including their cyber liability policy, to determine the extent of coverage for the cyber risks for the particular technology transaction and vendor. In some cases, standard business policies (such as property insurance, crime insurance, or commercial general liability coverage) may include cyberattack losses.
- Summarize your policies for internal stakeholders. Your technology contract negotiation team will be much better able to assess applicable cyber risk for a particular technology transaction if they know the specific scope and extent of your own cyber and other insurance policies.
- Monitor policy changes. The technology agreement should require the vendor to provide prompt notice of changes in the vendor’s insurance coverages. The agreement should establish that vendor breaches of insurance provisions specifically give rise to customer termination rights.
- Increase insurance coverages. When the customer’s business team insists that the particular technology vendor is the best resource for the deal, but the vendor does not have adequate cyber insurance, the customer should consider obligating the vendor to procure sufficient coverage, even if only for the particular transaction. Be aware, however, that the vendor may seek to burden the customer with the cost of the additional coverage.
And, do keep in mind that businesses commonly underestimate the cyber coverage they need to mitigate cyber risks.