That said, I do approach the insurance industry with a healthy dose of caution. There is one certainty about insurance companies: They are always willing to take the premium with a smile. When it comes to handling claims fairly, the results are mixed. Insurance companies often try to limit their exposure at both the micro level and the macro level.
At the micro level, carriers will often deny particular claims or try to limit their exposure. In my view, insurance company claims adjusters often take unjustified positions because they know that few insureds really understand their policies and fewer still understand how policies are supposed to be interpreted. The rule here is simple: If an insurance company issues a strong reservation of rights or an outright denial, seek advice from an experienced coverage attorney. Do not simply accept the determination of your insurance company, or of your own insurance agent, that there is no coverage.
The approach of carriers at the macro level in trying to limit their risks is also not understood by most businesses. Quite simply, again and again, insurance companies have been forced to pay a certain category of clams under commercial general liability (CGL) policies, the most common type of policy issued to businesses. Time and time again, carriers then issue industry-wide endorsements to new policies to try to eliminate exposure for that type of risk. For example, when faced with paying environmental claims in the 1970s and 1980s, carriers responded by adopting the "absolute pollution exclusion" in new policies. When faced with mold claims in the 1990s, carriers responded with fungus exclusions. Apparently perceiving a risk from claims based on silica exposure, the carriers adopted silica exclusions. These are only a few examples.
CGL policies were formerly known as "comprehensive general liability" policies. Now the name has been subtly changed to "commercial general liability" policies, implying a limitation on coverage. As reported previously on this blog, I have seen some CGL policies that are so heavily endorsed with exclusions that it is difficult to determine what risks they intend to cover.
After attempting to choke off coverage under CGL policies, underwriters respond with new policy forms (sometimes by endorsement) offering coverage for specific risks at an additional premium. For example, environmental impairment liability coverage and coverage for on-site clean up costs are now available -- for an additional premium, of course. Carriers now feel, apparently, that they have the expertise to underwrite environmental risks.
How does this rather lengthy exposition fit into the title of this post? Quite simply, it is my belief that we are at the vanguard of an explosion of cyber-related claims. These claims will include first party claims, such as data loss or damage to IT infrastructure by malware and hackers. These claims will also include third party claims, including clams for data breaches involving customer information, which could include claims for compromising confidential information or trade secrets, claims for release of personally identifiable information (such as credit card information) and the like. The cost of responding to a single data breach can be truly staggering.
For more information, I recommend reading this quite comprehensive article from Computerworld. Although one might quibble with particular statements in the article, it does a very good job of laying out the risks, how businesses are currently responding to (or ignoring) the risks, and the issues associated with current insurance products (especially high cost).
One of the key points in the Computerworld article is that legal and risk management departments often do not interact with the IT department in identifying risks and considering whether they should be insured. This observation is consistent with an article that I wrote last year in TechJournalSouth regarding the need for a comprehensive management approach for cyber-related risks. Only a full understanding of cyber risks across the enterprise will allow management to respond appropriately.
Companies should carefully consider their cyber-related risks across management and reporting lines. Companies should involve third party security and IT experts as necessary. Businesses should consult with experienced insurance brokers who fully understand the current insurance options and that are willing to spend the time necessary to help a business evaluate its risks. Although it is not always necessary, involving coverage counsel in the effort should also be considered.
From an insurance claims perspective, businesses should be aware that carriers will, rightly or wrongly, try to deny coverage for most cyber-related claims under CGL policies. My experience also suggests that, even when a business has purchased insurance for cyber-related risks, insurance company claims adjusters and attorneys may balk at recognizing the coverage obligation. Businesses faced with such a scenario need to involve coverage counsel and to push back.