Cybersecurity insurance coverage, pitfalls and issues — Part 2

In part 2 of our latest installment to the Q&A video series focused on “What You Need to Know About Data Privacy and Cybersecurity,” McAfee & Taft attorney Will Holland discusses what organizations should look for in a cybersecurity insurance policy or endorsement, what pitfalls to watch out for, and what issues should be considered.


Q: What should you look for in a cybersecurity insurance policy or endorsement?

Will Holland: The thing to remember here is that cybersecurity insurance is a relatively new product. And so with that, it’s still evolving and changing, but also there’s no standard forms that exist in the industry for these types of policies. So, you need to be aware that if you’re talking to one insurance provider, their cyber policy may include certain terms that are nonstandard. Whereas, if you talk to another cyber provider, they may include different terms. So, just be aware of that and really think about what you want in your policy and what it’s important for you to have because it may be important for you to shop around.

Also think about whether you want a policy that provides first party coverage or third party coverage, or both. First party coverage would be, if you experience a data breach, this would pay for the costs to you of the breach and recovering from the breach. So, things like hiring a forensics firm to come and look at your systems. It would be things like, potentially if there are reputational issues, hiring a PR firm. If you need to engage in any sort of recovery, it would pay for those costs. And they can also pay for things like lost revenue, business interruption costs, that type of thing. So, think about, all right, what are my likely scenarios here? What’s my circumstance? What do I really need? And then with third-party coverage, that would be, if you have a data breach and you get sued by, let’s say one of your customers whose data was part of the breach.

The third party coverage could pay for things like, if you get sued, your attorney’s fees, if you have a judgment against you, if you have to pay out a settlement, it could pay for those types of things. So, really think about, okay, what coverage do I need? Do I need first party and third party coverage? And make sure that your policy includes those coverages.

So, a cybersecurity incident and a data breach are potentially two different things. And so you wanna make sure that both are covered under your policy. So cybersecurity incident could be something happens where you don’t have access to your own data. So, that’s an incident. Whereas a data breach is a situation where a third party has come onto your system potentially, or data has leaped from your system, and now a third party has your data. A lot of states define data breach differently; there’s consistency in the definitions, but there’s some nuance there.

So you just need to be aware, what laws apply to me? How do those laws define data breach? And you wanna make sure that your policy covers for both an incident and a data breach.

Q: What coverage issues or gaps should every insured organization be aware of?

A: Well, there are a few things. First of all, you need to think about, or be aware of, what your policy says in terms of timing of payments, if there is coverage. So, some policies say that the insurer will pay directly for costs associated with covering from the data breach. So that would be like, if you hire a forensics firm, the insurer would potentially hire the firm themselves and they would pay the firm’s bills as they’re coming in.

Other policies say, the insurer will pay on the backend, meaning that the company is gonna have to front the money, which is potentially a challenge for some companies if you’re having to hire a forensics firm that’s charging $600 an hour, that’s a tough thing to potentially pay that bill up front and then try to go get the money from the insurer on the backend. So, be aware of that.

Another thing is, think about how protected information or confidential data is defined in the policy. Ideally you want it to be defined to include both customer data, but also employee data, because most state laws or most laws that deal with data breaches will also apply to employee data if that’s subject to a breach. And so you wanna make sure that you have coverage for both.

And then the third thing is, think about, what are some conditions precedent to coverage? So, a lot of policies say, we will only provide coverage if the company does X, Y, or Z, if the company is complying with these laws. And so, in your application for that policy, if you say yes, we’re complying with HIPAA or some other security law, you wanna make sure that you actually are complying with that law, because if you’re not, it could jeopardize your coverage.

Captioning/transcript provided by Rev.

This Attorney Q&A has been provided for information of clients and friends of McAfee & Taft A Professional Corporation. It does not provide legal advice, and it is not intended to create a lawyer-client relationship. Readers should not act upon the information in this Q&A without seeking professional counsel.