As the risk of cyber threats to all businesses grows, there is a corresponding interest in managing and shifting cyber risks by contract and through cyber insurance. Insurance requirements are common in commercial contracts, and many contracts now include a sub-clause regarding cyber insurance. Whether a company is asking for a contracting party to provide cyber insurance or is on the receiving end of such a request, there are some important background considerations to remember:
- Although insureds have had some success in recovering for cyber losses under traditional business insurance, such as commercial general liability (CGL) coverage, the results are mixed and insurers are moving to restrict cyber coverage under CGL and traditional business policies.
- Although the market for cyber coverage is currently fairly robust, there is no “standard” cyber policy. Carriers use different policy language and different approaches in providing coverage, which makes comparing cyber policies challenging.
- Most cyber coverage is written as “claims made” coverage, meaning it covers only claims made during the policy period (or extended reporting period, if applicable). This makes renewing coverage important, particularly if a contract applies over an extended period of time.
- Against this background, we are seeing contract language with very general requirements, such as “Seller shall maintain cyber liability insurance with at least $2 million in policy limits during the term of the agreement.”
When evaluating contractual requirements for cyber coverage, here are some specific things to consider:
- Cyber insurance can never be a substitute for proper preventative measures. If possible, it is always better to avoid a risk than to rely on insurance. Contracting parties should consider including specific provisions regarding the handling of sensitive data, including basic requirements regarding encryption, password management, controlling access to information, etc.
- Keep cyber insurance provisions specific. Contractual provisions requiring “cyber insurance” are relatively meaningless. Cyber policies often provide, albeit in different formats, a package of third-party (liability) and first-party coverages. If liability is the primary concern, specify precisely what the insurance will cover in reference to the likely risks arising from the contract. Consider consulting an experienced cyber insurance broker along with experienced counsel.
- Consider asking to see the policy. Contractual provisions often require a contracting party to provide certificates evidencing coverage. Certificates actually do not provide much information regarding the scope of the underlying coverage, and often state on their face that they are for information only and confer no rights on the certificate holder. In the cyber insurance world, the concerns are multiplied because there is no standard policy. The certificate may provide some evidence that the insured has insurance, but does not indicate what specifically is covered. It may be best, therefore, to ask for a copy of the policy and have it reviewed by professionals.
- Be realistic in your expectations. It is certainly possible to draft incredibly detailed contractual provisions mandating specific cyber coverages. It is also easy to send out a contract draft requiring $25 million or more in policy limits. Larger companies may be able to satisfy these requirements, but most small and medium-sized companies are not going to be able to obtain coverage meeting them. Based on what we are hearing from experienced brokers, cyber coverage is currently available for reasonable premiums for small and medium-sized companies with policy limits of $2 million to $4 million, and perhaps $5 million. Higher policy limits may simply be unavailable for small businesses. The market is constantly changing, so consulting with an experienced broker should help apprise you of what is realistic at the time of contracting.