Do You Trust Your Cyber Insurer?: Policies that Condition Breach Response Coverage on Insurer Consent Put Businesses at the Mercy of Their Insurer
Numerous sources have reported unprecedented numbers of cyber breaches in 2020. The coronavirus pandemic is an oft-cited cause, as it necessitated a rapid and massive shift to remote work environments with increased vulnerabilities. Our clients have felt it. So far in 2020, we’ve dealt with more cyber insurance issues based on actual breaches than ever before. Today we write about a particular topic relevant to policyholders in this perilous new environment: a cyber policy provision that conditions coverage for breach response expenses on an insurer’s consent can jeopardize the breach response, particularly if the insurer doesn’t appreciate the necessity of a rapid and effective response.
Most cyber insurance policies provide first-party coverage for various types of expenses necessitated by a cyber incident, such as:
- Forensic IT expense to determine the cause and scope;
- Legal expense to assess compliance requirements;
- PR or crisis communications expense to mitigate or address public relations fallout; and,
- Other expenses for items required by breach-related laws, including those associated with notifying affected persons.
For this coverage to be useful, it should be automatic. A breach response often must be quick and substantial to be effective and comply with the law. Many business clients may not have the financial ability to undertake an appropriate response if the insurer won’t pay for it.
The problem is that many cyber insurance policies condition first-party coverage for response costs on the insurer’s advance consent. There are a lot of good insurers and hard-working insurance claims handlers in the world that have ample experience with cyber incidents and coverage, and they act promptly and reasonably when businesses ask for consent. But there are others that just won’t act quickly to authorize necessary expenses, putting insured businesses between a rock and a hard place:
Either the business can comply with the law and implement an effective breach response, but jeopardize coverage by failing to secure insurer authorization;
The business can wait around for the insurer’s authorization, but then jeopardize the effectiveness of its breach response and legal compliance.
This isn’t an abstract problem. We’ve experienced it.
When things like this happen to our clients, we try to advocate on their behalf to persuade the insurer to act appropriately. We also deploy other solutions in appropriate cases, including building a record of the insurer’s misbehavior and, sometimes, asking for a waiver of the prior consent requirement. But it’s better if our clients aren’t vulnerable to insurer caprice in the first place.
Businesses must be smart consumers when purchasing or renewing coverage. Not all cyber insurance policies or insurers are the same. There are cyber insurance policies available on the market that do not require advance insurer consent for certain types of first-party response expenses. Like other first-party insurance policies, the insurer is merely obligated to reimburse reasonable and necessary expenses after-the-fact. The insurer doesn’t have delay or veto power upfront. There are insurers in the market with substantial cyber expertise and experience and others without.
Good insurance brokers are essential in helping businesses purchase and renew cyber coverage. They know know what insurance policy features are available on the market from which insurers and at what price; they also know which insurers are experienced and understand cyber exposures and which merely dabble. Insurance coverage counsel who have real world experience pursuing and facilitating coverage during the fallout of a crisis can also help, by offering their perspective and advice when the business purchases or renews cyber coverage and by helping to facilitate reimbursement after a loss.