As we have noted in a number of recent posts, tech companies need cyber insurance. The risk of not having it is simply not worth it. But cyber insurance policies can be confusing to understand because the policies vary depending on your type of business, business needs, and how your customers are serviced. Some companies might need a combination of cyber policies in order to have complete cyber insurance coverage. It is very important to do your due diligence, think critically about the cyber insurance needs of your company, and find a policy that covers all of your company’s cyber risk.
Companies must pay attention to the details of the cyber insurance policy and be both clear and accurate about the representations they are making in the application for coverage. The insurance industry makes money by collecting premiums and minimizing claims. This creates a natural tension between the policyholder and carrier. When a company makes a claim, it would like to get the benefit of the bargain it made with the insurer. That benefit is for the insurer to pay for the claim. The insurer agrees to pay, as long as the claimant has met all of its obligations under the policy.
In certain cases, coverage can be denied where a policyholder fails to meet all of its policy obligations. Say, for example, you’re the policyholder. You suffer a data breach, resulting in a class action lawsuit seeking millions of dollars in damages. You make a claim under the cyber insurance coverage. But your carrier discovers that you didn’t follow all of the data security protocols you represented that you follow in your application for coverage. Your carrier takes the position, based on your data security failures, that your representations about your data security in your application were false when they were made, and it denies coverage. Before you know it, you’re in litigation not only with a class of data subjects, but with your insurance carrier as well.
There are a few take-home lessons here. First, make sure that the cyber insurance application is vetted by the experts in the business to validate its accuracy and completeness. A cyber insurance application is not the place to puff, overstate, or otherwise be aspirational or not quite accurate. Second, assuming the application was correct when it was submitted, it must continue to be correct, and if there is a material change, you should notify your carrier. Once a company receives coverage based on a set of representations about ongoing data security practices, those representations must continue to remain true. Third, make sure you know what the policy covers and excludes. Insurance policies are not easy to read and understand, so this is an important piece of work.
Cyber coverage is absolutely worth it. Hopefully you never need to use it. However, in the event that you do need it, make sure you do the right work on the front end to enhance your likelihood of having a claim successfully processed.