Technology & Cyber Risk Insurance – Understanding the Basics
Coverage as Complex as the Technology
There are a wide range of insurance products within the generic umbrella of Technology or Cyber Risk insurance. Some policies provide first-party coverage insuring covered losses directly sustained by the you– the policyholder. Other variations provide coverage that includes loss to third-parties – your clients. Professional liability insurance is the most important insurance requirement embedded in every IT services contract. Menu-driven policies allow selection among coverage modules to better correlate coverage with the IT firm’s specific enterprise exposures. Because this is arguably the most important insurance you will purchase, it’s important to not approach the purchase of this insurance as that of a commodity. All policies are not equal. Investing time to compare the available coverage options and the policies’ limitations is essential to ensure your enterprise receives appropriate liability protection.
Exclusions: A good place to start understanding what your policy covers.
Having a clear understanding of what your Cyber Risk policy doesn’t cover is as important as understanding what it does cover. Some of the prominent exclusions to coverage contained in Cyber Risk policies are summarized below. It’s important to be mindful a policy’s exclusions do not always appear in the Exclusion section. Many insurance policies often imbed coverage limitations in other parts of the policy, such as within the Definitions section. Similarly, policy exclusions sometimes contain carve-backs or exceptions to the exclusion which typically make a portion of an exclusion inapplicable, thereby expanding coverage under specifically defined circumstances.
Some typical exclusions are:
•Claims involving the recall, replacement, repair or supplementation of the Insured’s product or service.
•Claims alleging software failure involving software that is in a test phase or not in general commercial release.
•Claims involving fee disputes.
•Claims involving electrical, mechanical or telecommunication failures or interruption, unless the failure was caused by the Insured’s covered wrongful acts.
•Claims alleging invalidity, misappropriation or infringement of a patent, trade secret, copyright, trademark or service mark unless arising from electronic publishing activity.
•Certain proceedings brought by federal, state or local governmental agencies, licensing authorities, or rights organizations, except for network security or privacy-related claims.
•Claims alleging unauthorized collection of personal data of third parties with the knowledge of the Insured’s principal partner, director or officer is imputed to other Insured individuals and/ the entity.
Readers should not be left with the impression that these policies don’t cover much. Quite the contrary, these insurance policies provide very broad and valuable coverage. The definition of “Wrongful Act” as found within one of the more prominent Cyber Risk policies states: “…means any error, misstatement, misleading statement, act, omission, neglect, breach of duty, or Personal Injury offense actually or allegedly committed or attempted by any Insured in their capacity as such:” That clause is followed by a litany of coverage triggers including but not limited to: “failure of the Insured’s Technology Services, Technology Products, Electronic Media exposures, product disparagement, trade libel, public disclosure of private facts, plagiarism, piracy, copyright and domain name infringement, service mark infringement, negligence with regard to creation or dissemination of electronic content, unintentional violation of privacy rights or regulations, and network extortion threats.”
Technology Professional Liability Insurance
IT professionals provide a variety of technology-related services encompassing web-based and technology systems-based services. Liability can emanate from the ineffectual rendering of the professional services. These claims are generally brought as a failure of the provided services to perform as intended. They typically allege the services caused a client to sustain loss of property and/or economic damages due to business income loss. Some claims allege loss because a client’s system was exposed to a threat of unauthorized access which could result in privacy issues or the threat of cyber extortion. It’s important for IT professionals to understand that while the scope of coverage contained within Cyber Risk policies is broad, it is not all-inclusive. For example, these types of insurance policies do not provide coverage for claims involving delays, cost overruns or certain other business-related disputes.
The Checklist – Does Your Policy Cover…?
Some questions Technology firms should ask about their Cyber Risk policy…
•Is Defense fully covered without any allocation of defense costs between covered and non-covered claims if at least one covered allegation is asserted?
•Does Data Breach coverage include both first-party and third-party expenses?
•Does Privacy Coverage apply to third-parties such as customers and employees of the Insured?
•Does the policy provide Expense Coverage for complying with Consumer Privacy Notification regulations and credit monitoring expenses?
•Are costs of retaining public relations or crisis management firms and / or law firms in the event of a privacy breach event covered?
•Are Data Breach claims subject to deductibles, retentions or co-insurance?
•Are regulatory fines, pre-judgment and post judgment interest covered?
•Does Business Interruption coverage include costs to enhance information assets beyond their pre-loss status?
•Are consequential damages covered?
•Is Contractual Liability covered if liability exists in the absence of the contract?
•Does the policy’s definition of Legal Proceedings include arbitrations?
•Is Additional Insured coverage available if required by contract?
•Are Independent Contractors covered if the claim is also brought against an Insured?
•Are Defense Expenses covered for Deceptive or Unfair Business Practices unless a final adjudication is rendered adverse to the Insured?
•Will the policy provide defense coverage for claims seeking solely injunctive relief?
•Does the policy offer an option to include Professional Liability Coverage?
Whether the IT enterprise is a small, medium or large firm, when losses arise relative to the scope of their respective contracts, they can have a devastating effect. Before even considering the potential economic damages, one must consider the cost of defending a technically complex claim. Without proper insurance, those defense costs can be enough to cripple most IT service providers, or certainly put severe stress on a company’s profitability. In addition, there are public relations consequences and other related expenses that may be incurred in connection with such claims. Technology or Cyber Risk insurance, if properly designed, provides critically important protection to any technology-related enterprise, ensuring their ability to continue to operate even after sustaining a devastating professional services claim.