Contracts with tech vendors increasingly include requirements of cyber-risk insurance coverage, but where the value and risks associated with the data to be shared with or created by the vendor warrant such a requirement, you should probably take a look at the coverage – and not just a certificate of coverage – to see what you’re getting. First of all, always make sure you know what if any critical digital assets other than personally-identifiable information (PII) are covered, for reasons this blog warned you about here and here. If the digital assets covered – whether PII or other knowledge assets and whether under cyber or other vendor insurance policies — are important to you, here are 20 good questions to ask:
- Who is covered? Is your company listed as an additional insured? (note: it is a good idea to request a copy of the additional insured endorsement, and to also request a copy of the whole policy once it is issued)
- What is the coverage territory? (e.g., is the coverage worldwide?)
- What does the policy’s “other insurance” provision say? Is this coverage primary? Or does it say that it is excess of all other coverages?
- Is there a retroactive date? If so, are you concerned about potential claims and liability for conduct that took place before the retroactive date?
AMOUNT AND SCOPE OF COVERAGE
- What are the policy limits and sublimits for particular types of losses? (note: certain categories of costs, such as post-breach notification costs and credit monitoring costs, often are subject to sublimits)
- What are the deductibles/self-insured retentions? Who can satisfy the deductible/self-insured retention? (e.g., only the Named Insured? Payments by other insurers? Payments by anyone?)
- What types of losses are covered? (e.g., liability, property damage, computer damage, business interruption)
- Is coverage limited to losses arising from the insured’s own omissions or does it also extend to losses caused by third-party vendors of the insured?
- Is there a contractual liability exclusion? If so, how broad is it/what are the exceptions to it?
- Is there an “acts of foreign governments” exclusion?
- Is there an exclusion for “any loss caused by an employee”?
- Is there an exclusion for “any malfunction or error in programming or error or omission in processing” or for losses arising from “mechanical failure,” “error in design,” or “gradual deterioration of a computer system”?
- Is there an exclusion for claims alleging violations of consumer protection laws? If so, does the policy at least provide defense costs coverage for these types of claims?
- Is there an exclusion for an insured’s failure to follow minimum required practices, such as the failure of the insured to continuously implement the procedures and risk controls identified in the application for insurance and related materials? If so, do you know what procedures and risk controls were identified in the application for insurance? You can see this exclusion in action here.
INSURANCE CLAIMS PROCESS AND DISPUTE RESOLUTION
- What is the claims process? Do additional insureds control their rights to recovery?
- What are the policy’s terms and conditions regarding dispute resolution? For example, is there a mandatory arbitration clause? Is there a choice-of-law clause? Is there a choice-of-forum clause? Is there a contractual limitations period?
PROVISIONS REGARDING THE DEFENSE OF AN UNDERLYING CLAIM OR LAWSUIT
- Is the policy a duty to defend or duty to reimburse defense costs policy?
- Do defense costs exhaust the policy’s limits?
- What are the provisions regarding the selection of defense counsel? For example, is there a panel counsel requirement? Does the carrier get to select counsel subject to the insureds’ consent? Do the insureds get to select counsel subject to the carrier’s consent?
- Does the policy say that the carrier has a right to recoup defense costs under certain circumstances?