An obscure niche product less than a decade ago, cyber insurance is now a staple of many companies’ risk transfer programs. Its rise in prominence is no wonder. High-profile data breaches have caused businesses millions of dollars in losses and untold reputational harm. Companies are right to shed some of their cyber risks through insurance, and the basic protections it offers are well known. It pays for the business’s investigation and notification to consumers of data breaches, and it defends against ensuing class action lawsuits and regulatory actions.
As valuable as these basic coverages are, companies should carefully consider and address their risks beyond them. Those that fail to do so may leave some of their biggest risks uncovered.
Cyber insurance is not an off-the-shelf product; there is no standard form. Dozens of insurers sell it, each using its own proprietary language. And the market is evolving rapidly to keep up with the risk environment’s shifting sands. Thus, simply renewing last year’s policy will not provide the cutting-edge protection available today. Like other contracts that a business signs, a proposed cyber insurance policy must be scrutinized and negotiated to meet the business’s unique needs. And the challenges in this area require a group effort that pulls in personnel and resources not just from the finance or risk management departments, but also IT, Legal and others.
Two areas of cyber insurance are seeing particularly rapid change and uncertainty: coverage for exposures relating to the European Union’s General Data Protection Regulation (GDPR) and business interruption coverages. Broad coverage is ostensibly available for GDPR risks, but its enforceability under applicable law is in question. Business interruption coverages are increasingly addressing the interconnectedness and complexity of computer systems in the age of the cloud, where one system’s downtime can affect many other companies’ operations.
Are GDPR Penalties Insurable?
The GDPR went into effect on May 25 and promises increased regulatory scrutiny and greater financial losses (up to 4 percent of the company’s global annual revenues) for breaches affecting the data of EU citizens. Companies must publicly disclose data breaches within 72 hours—lightning fast in contrast to the time taken until now by most companies to notify affected consumers. It also imposes broader disclosure, consent and data control obligations on companies, even in the absence of a breach. For example, companies must be able to answer consumers’ questions about what data is stored and be able to delete it upon request. The newly passed California Consumer Privacy Act will impose some similar obligations, but it is less of a concern for cyber insurance policy renewals this year, because it does not go into effect until Jan. 1, 2020.
Cyber insurers are addressing these new risks in different ways. Some offer narrow coverage just for damages and penalties arising from a data breach. Others have developed more expanded offerings that protect companies against investigations, regulatory proceedings and lawsuits resulting from violations of GDPR requirements even in the absence of a breach, such as a failure to delete data upon request.
Insurance companies’ willingness to cover these new and very large risks seems laudable on the surface. However, there are unanswered questions as to whether policyholders actually will be able to recover under these coverages when they find themselves in the regulatory crosshairs.
The biggest exposure under the GDPR is the potential for massive penalties. A penalty of 4 percent of global revenue could be staggeringly large for many companies, most of which probably do not have—and cannot buy—enough insurance to cover it. More important, it is currently uncertain whether applicable law will allow the insurance that companies actually have to cover GDPR penalties.
Marsh Ltd. and AON, two of the world’s largest insurance brokers, rightly warned their clients over the past few months that they should not assume that their GDPR penalty coverage is enforceable. In many jurisdictions, including a number of U.S. states, penalties imposed for the purpose of punishing a defendant for violating the law are not insurable as a matter of public policy. If one could insure against a punishment such as punitive damages, the reasoning goes, the defendant would not benefit from the opportunity that the penalty offers to learn its lesson.
AON reported that only two out of 32 countries that are implementing the GDPR rules—Norway and Finland—would allow coverage for civil GDPR penalties, with nearly all others either clearly disallowing such coverage or expressing some uncertainty about it. In September, a spokesperson for the Information Commissioner’s Office, Britain’s data regulator, refused to say whether it would allow GDPR fines it imposed to be insured: “There is nothing in the GDPR which either permits or prohibits insurance coverage against fines.”
While the uncertainty cannot be eliminated right now, there are steps that companies can and should take to increase the odds that they will get the benefit of the coverage they are buying in the event that they receive a penalty. Choice of law provisions in the policies should be expanded to state that GDPR penalties are insurable to the extent permitted under any jurisdiction’s law that is most favorable to the policyholder, whether or not such law applies to the interpretation of the policy in the event of a dispute. This may allow a policyholder to take advantage of more lenient jurisdictions’ standards when their own do not allow coverage for GDPR penalties. Some insurers are agreeing to such broad choice of law provisions, but policyholders may need to request and negotiate for them.
Another factor adding to the uncertainty surrounding GDPR coverage is that some insurers are requiring policyholders to answer detailed questions about their GDPR compliance in the application process. While imposing some underwriting limitations on this type of coverage may be prudent for insurers, certain types of questions may be aimed at giving insurers an out when it comes time to address a loss. Insurers may ask policyholders to confirm their compliance with GDPR rules. This is not a simple question for large companies with numerous computer systems and business units in various countries. But a mistaken answer to it can have outsize consequences. It could allow an insurer not only to get out of providing coverage for a GDPR-specific loss, but also to try to rescind the insurance policy altogether, thereby leaving the policyholder with no coverage, even for the run-of-the-mill data breach response costs.
Policyholders should beware such application questions and try to pare them back through negotiation with the insurers. To the extent that insurers refuse, policyholders should take special care in formulating their responses. They should be sure that their answers are accurate, adding necessary caveats where they lack certainty, even if that means acknowledging shortcomings.
Business Interruption Coverage in the Age of the Cloud
Cyber insurance policies have offered basic coverage for business interruption losses arising from a data breach on the insured’s computer system for some time. It is similar to that offered by a typical property insurance policy. A covered peril (in this case, a data breach) interrupts the insured’s business operations, causing lost income. The cyber policy covers lost net income and “extra expenses” incurred to reduce the income loss, subject to a deductible and often a “waiting period” (a period of time that the business’s computer system must be down before the coverage is triggered).
The coverage has become more sophisticated, and complex, over time in light of the entangled relationships and computer systems of businesses that rely on the internet. Should a policyholder be entitled to business interruption coverage if a third-party computer system on which it relies is taken down by a breach? Should that be the case even if the policyholder’s computer system is not fully offline, but rather merely runs more slowly because of the breach of the third-party system? Why should the coverage be limited to breaches of third-party systems; should there not be coverage if the third-party system goes down for whatever reason, such as a failed software update? For that matter, why should the policyholder not get such coverage when a mistake of its own causes an unplanned outage of its system?
Insurers have answered these questions affirmatively, though in many cases hesitantly and with restrictions. Understandably so. With each additional extension of coverage to a new origin of loss, insurers take on more risk. Now they are insuring not just the losses of a single policyholder for a breach on its own system. An insurer may have a stable of policyholders that all rely on a single third-party’s computer system for their operations (e.g., Amazon Web Services). If that computer system is taken offline, the insurer owes coverage to all its policyholders whose operations are affected by that event. This aggregation of risk has insurers worried.
As a result, insurers have imposed limitations on these coverages, starting with long waiting periods and low sublimits that provide a smaller amount of coverage for each category. Several years ago, many insurers required 12-hour waiting periods and sublimits in the low six figures. Sometimes they would increase the limits for downtime caused by certain specified vendors. Policyholders were unlikely to trigger the coverage—having a computer system fully down for over 12 hours was a rare event—and there was not much protection there if they did.
Now, market demand and competition among cyber insurers are loosening these restrictions. It may be possible for a business to get an eight-hour waiting period, or less, for certain business interruption coverages without a sublimit. The coverages can be expanded to include both partial and total interruptions. And coverage for unplanned and unintended outages in the absence of a breach is becoming more common.
Just as with the insurance for GDPR risks, though, insurers will not necessarily offer these coverages as a matter of course. The policyholder must ask for them and then negotiate their terms. That requires a detailed understanding of how its own computer systems work, what other computer systems are critical to its operations, and where and how the data that the business relies on is stored.
In sum, buying a cyber insurance policy is not the exclusive domain of the finance department or the risk management department, and reducing premium costs should not be the overriding concern. The effort requires a team-based approach that draws on IT and legal resources and advisers, and a keen understanding of, and focus on, the business’s unique cyber risks. Only those companies that approach the purchase of cyber insurance deliberately and with forethought will get the best coverage available for their needs, and understand where they still have risks that should be addressed by other means.