Cyber Coverage Confusion

I had the opportunity recently to read two cyber liability policies and they honestly made my head spin a little. There were coverages that I hadn’t thought about and restrictions that didn’t make sense (at least for a while). The worst part was that as I was reading and trying to compare the two forms, they were so different from one another. They even used different words to describe similar coverages.

Let’s take a look. NOTE: I am extracting policy language from two different policies and for our purposes I am only providing enough language to prove the point. Always read policies in full to determine the existence and extent of coverage before offering any coverage advice.

Policy #1

The following Coverages apply if the Declarations displays a Limit of Insurance for such Coverage:

• Enterprise Security Event Liability Coverage
• Privacy Regulation Liability Coverage
• Crisis Management and Fraud Prevention Expense Coverages

The Insurer will pay the Insured Entity for:

• Crisis Management Expense;
• Fraud Response Expense;
• Public Relations Expense; and
• Forensic and Legal Expense

• Computer System Extortion Coverage

This policy makes a distinction between Claims-Made Liability Coverages (the first two) and First Party Coverages (the rest of the list). There is also a Supplemental Benefit called Breach Preparedness Information Services provided on this policy. Let’s look at the next policy.

Policy #2

In consideration of the payment of the premium and reliance upon the statements made by “You” in the “Application” and subject to the Limit of Liability, exclusions, conditions and other terms of this Policy, it is agreed as follows:

Coverages

• Privacy Liability (including Employee Privacy)
• Privacy Regulatory Claims Coverage
• Security Breach Response Coverage
• Security Liability
• Multimedia Liability
• Cyber Extortion
• Business Income and Digital Asset Restoration
• PCI DSS Assessment

Can you tell why I started to get confused? These lists read so differently. Spoiler alert, the coverages are similar. They are just called slightly different things. Of course, they aren’t the same, but they are reasonably similar. That’s why you have to read everything to find out exactly what’s covered and what isn’t covered. In that spirit, let’s look at one more section of these policies.

Policy #1

Defense and Settlement of Claims

The Insureds will not settle any Claim, pay any Damages or Regulatory Loss, incur any Claim Expenses, admit or assume any liability, stipulate to any judgment, or otherwise assume any obligation with respect to a Claim without the Insurer’s prior written consent. Notwithstanding the foregoing, if all applicable Insureds are able to fully and finally dispose with prejudice such Claim for an amount within the applicable retention, including Claim Expenses, then the Insurer’s consent will not be required for such disposition.

Policy #2

Defense, Settlement and Investigation of Claims

You” and “We” shall mutually agree on counsel to defend “Claims”. “You” shall not formally appoint defense counsel without “Our” consent, which shall not be unreasonably withheld. However, in the absence of such agreement, “Our” choice of counsel decision shall control. “We” agree that “You” may settle any “Claim” where the “Damages” and “Claims Expenses” do not exceed fifty percent % (50%) of the applicable retention, provided that the entire “Claim” is resolved and “You” receive a full release from all claimants.

These two paragraphs speak to how each policy deals with a claim that the insured decides to settle without the insurance company’s consent. Do you notice the differences?

In Policy #1, the insured seems to be able to settle claims if all costs associated with the settlement (including the settlement amounts and claim expenses) all within their retention. In that case, the insured does not need the company’s consent.

Policy #2 also allows the insured to settle without the insurance company’s consent, but its different. Policy #2 tells us that the settlement and claims expense must be no more than 50% of the applicable retention. That is a significant difference, which must be made clear before the insured starts to enter into settlement discussions without the insurance company’s involvement.

Policy #1 also makes this statement, “if all applicable Insureds are able to fully and finally dispose with prejudice such Claim…”. While Policy #2 reads this way, “…provided that the entire ‘Claim’ is resolved and ‘You’ receive a full release from all claimants.” What does all of that mean?

To fully and finally dispose with prejudice means that once the claim is complete, there are no further actions that the claimants can make against the insured or the insurer related to this claim. Saying that the claim is resolved, and the insured received full release from all claimants says essentially the same thing. A signed release is the claimant’s agreement that they have been satisfied with the outcome of the claim and have released the insured and insurance company from any further claims related to that incident.

They may have meanings that are similar, but things that are similar are not the same, so we have to watch for those kinds of differences, too.

These differences and more are why the Academy of Insurance is hosting Fred Fisher and his session “Cybertoday – tomorrow?” on September 12. Fred is going to walk us through the many differences that can show up on the over 300 different cyber liability forms that are currently available. He’ll give us some ideas about what we can watch for, what coverages are available and help us to answer the question, is this enough coverage for our customer?

You can get more information about the session and sign up at this link.

Topics Cyber Carriers Legislation Claims