Embed Size (px)
Citation preview
CYBER 4.0: CUTTING-EDGE ADVANCEMENTS IN INSURANCE COVERAGE FOR
CYBER RISK AND REALITY(CRM005)
Speakers:
• Roberta Anderson, Partner, K&L GATES LLP
• Timothy Flaherty, Manager, Insurance Risk Management, Alcoa Inc.
• Donna Stone, Director, Insurance Risk Management, GDF SUEZ Energy North America, Inc.
• Christopher Liu, Head of Cyber, Financial Institutions Group, AIG
• Ben Beeson, Cyber Risk Practice Leader, Lockton Companies LLP
Learning Objectives
At the end of this session, you will:
• Compare the provisions and enhancements of current cyber insurance products relative to your industry.
• Assemble practical cyber coverage negotiation tips.
• Add a best practices checklist to your next cyber insurance placement.
Agenda
• Introduction And Overview
• Evolving Threat Landscape And Legal/Regulatory Climate
• Cyber Insurance Overview
• The Risk Manager's Perspective
• The Role of the Risk Manager in Cyber Enterprise Risk Management
• Process of Placing Cyber Insurance
• The Insurer's Perspective
• The Broker's/ Intermediary's Perspective
• Coverage Counsel's Perspective
• Claims and Coverage Trends
• Negotiating Better Coverage Before a Claim And Avoiding Coverage Pitfalls
• Questions
What Keeps You, Your Board/Stakeholders Up at Night
Our Question to You:
Introduction And OverviewEvolving Threat Landscape And Legal/Regulatory Climate
klgates.com5
• Malicious Attacks
– Advanced Persistent Threats
– Social Engineering
– Viruses, Trojans, DDoS attacks
– Ransomware
• Data Breach/Unauthorized Access
• Software Vulnerability
(Heartbleed)
• System Glitches
• Employee Mobility
• Lost or Stolen Mobile and Other
Portable Devices
• Vendors/Outsourcing
(Function, Not the Liability)
• The Internet Of Things
• Human Error
Evolving Threat Landscape
klgates.com 7
• Federal Cybersecurity/Data Privacy Laws
– HIPAA/HITECH
– GLBA
– FTC Act
• State Cybersecurity/Data Privacy Laws/Consumer Protection Statutes
– 47 States, D.C., & U.S. Territories Breach Notification Laws
– State Security Standards (MA, CA, CT, RI, OR, MD, NV)
• Foreign Laws
• Cross-Border Issues
– Securing data is complicated by cross-border transfer issues and the differences in Worldwide privacy laws
– Laws are complex and can impose conflicting obligations to a multinational enterprise.
• NIST Cybersecurity Framework
• Industry Standards, e.g., PCI DSS
• SEC Cybersecurity Risk Factor Guidance
– FCC Act
– FCRA/FACTA
Legal And Regulatory Framework
• “[A]ppropriate disclosures may include”:
• “Discussion of aspects of the registrant's business or operations that give rise to material cybersecurity risks and the potential costs and consequences”;
• “To the extent the registrant outsources functions that have material cybersecurity risks, description of those functions and how the registrant addresses those risks”;
• “Description of cyber incidents experienced by the registrant that are individually, or in the aggregate, material, including a description of the costs and other consequences”;
• “Risks related to cyber incidents that may remain undetected for an extended period”; and
• “Description of relevant insurance coverage.”
Cybersecurity: Five Tips to Consider When Any Public Company Might be the Next Target,
http://media.klgates.com/klgatesmedia/epubs/GBR_July2014/
SEC Cybersecurity Risk Factor Disclosure Guidance
“We note that your network-security insurance coverage is
subject to a $10 million deductible. Please tell us whether
this coverage has any other significant limitations. In
addition, please describe for us the 'certain other coverage'
that may reduce your exposure to Data Breach losses.”
Target Form 10-K (March 2014)
SEC Cybersecurity Risk Factor Disclosure Guidance
“We note your disclosure that an unauthorized party was
able to gain access to your computer network 'in a prior
fiscal year.' So that an investor is better able to understand
the materiality of this cybersecurity incident, please revise
your disclosure to identify when the cyber incident occurred
and describe any material costs or consequences to you as
a result of the incident. Please also further describe your
cyber security insurance policy, including any material limits
on coverage.”
Alion Science and Technology Corp. S-1 filing (March 2014)
SEC Cybersecurity Risk Factor Disclosure Guidance
Introduction And OverviewCyber Insurance Overview
• Privacy and Network Security
– Generally Covers Third-Party Liability Arising from Data Breaches and Other Failures to Protect Confidential, Protected Information, as well as Liability Arising from Security Threats to Networks, e.g., Transmission of Malicious Code
– Questions:
– Coverage for the Acts, Errors, Omissions of Third Parties, e.g., Vendors?
– Coverage for Data in the Care, Custody, Control of Third Parties, e.g., Cloud Providers?
– Coverage for Proliferating and Expanding Privacy Laws/Regulations?
– Coverage for Data in Any Form, e.g., Paper Records?
– Coverage for Confidential Corporate Data, e.g., Third-Party Trade Secrets?
– Coverage for “Rogue” Employees?
– Coverage for Wrongful Collection of Data?
– Coverage for TCPA Violations?
Third-Party Coverage
• Regulatory Liability
– Generally Covers Amounts Payable in Connection with Administrative or Regulatory Investigations
– Questions:
– Coverage for Fines and Penalties?
– Coverage for Consumer Redress Funds?
– Regulatory Exclusion Carve Backs?
– Sufficient Sublimit?
• PCI-DSS Liability
– Generally Covers Amounts Payable in Connection with PCI Demands for Assessments, Including Contractual Files and Penalties, for Alleged Non-compliance with PCI Data Security Standards
Third-Party Coverage
• Media Liability
– Generally Covers Third-Party Liability Arising from Infringement of Copyright and Other Intellectual Property Rights, and Torts Such as Libel, Slander, and Defamation Arising from the Insured's Media Activities, e.g., Broadcasting and Advertising
– Questions:
– Coverage for “Rogue” Employees?
– Coverage for Media Content in Any Form, e.g., Printed Publications, or Limited to Digital Media Content?
– Coverage Limited to Certain Locations of Media Content Display, e.g., on the Insured's Website or Social Media Sites?
– Coverage for Liability Arising out of the Insured's Own Advertising Activities?
– “Occurrence”-Based or Claims Made Coverage?
– Appropriate for Media Companies?
Third-Party Coverage
• Crisis Management
– Generally Covers “Crisis Management” Expenses That Typically Follow in the Wake of a Breach Incident, e.g., Breach Notification Costs, Credit Monitoring, Call Center Services, Forensic Investigations, and Public Relations
– Questions:
– Triggered by Failures of Security?
– Coverage for Forensic Investigation and PCI Forensic Investigator?
– Coverage for Public Relations, Crisis Management, “Breach Coach” Counsel?
– Coverage for Notification? How About ID Theft Education, I.D. Theft Restoration Services, Call Center Services, Credit Monitoring, Reimbursement Insurance?
– Insured's Reasonable Selection of Counsel/Vendors?
– Outside or Inside Limits?
– Sufficient Sublimits?
First-Party Coverage
• Network Interruption
– Generally Covers First-Party Business Income Loss Associated with the Interruption of the Insured's Business Caused by the Failure of Computer Systems
– Questions:
– Coverage for Third-Party Systems?
– Coverage for Cloud Failure?
– Coverage for Non-Malicious Acts, e.g., Unintentional, Unplanned Outage?
– Exclusion for Power Failure, Blackout/Brownout, etc.?
– Coverage Beyond the Interruption, e.g., 120 Days?
– Waiting Period, e.g., 12 Hours?
– Hourly Sublimits?
– Sufficient Sublimit(s), e.g., Contingent and Non-Malicious Acts Coverage?
– What About Loss Caused by Physical Perils, e.g., Flood?
First-Party Coverage
• Digital Asset
• Generally Covers First-Party Cost Associated with Replacing, Recreating, Restoring and Repairing Damaged or Destroyed Programs, Software or Electronic Data
• Extortion
• Generally Covers Losses Resulting from Extortion, e.g., Payment of an Extortionist's Demand to Prevent a Cybersecurity Incident
• Reputational Harm
• Generally Covers “Crisis Management” Type Costs in the Event of a Publication Likely to Be Seen by an Insured's Stakeholders, e.g., Customers, Investors, Vendors, or Regulators, and to Have an Adverse Impact on Public Perception of the Insured or Its Brand. Can Also Cover Business Income Loss Caused by a Publication Likely to BeSeen by an Insured's Stakeholders, and to Have an Adverse Impact on Public Perception of the Insured or Its Brand
First-Party Coverage
• First-Party Property Damage and Business Interruption ~$350M
• Third-Party Bodily Injury and Property Damage ~$100M
[T]his policy will drop down and pay Loss caused by a Security Failure [a failure or violation of the security of a Computer System that: (A) results in, facilitates or fails to mitigate any: (i) unauthorized access or use; (ii) denial of service attack; or (iii) receipt, transmission or behavior of a malicious code] that would have been covered within an Underlying Policy, as of the inception date of this policy, had one or more of the following not applied:
A. a Cyber Coverage Restriction [a limitation of coverage in an Underlying Policy expressly concerning, in whole or in part, the security of a Computer System (including Electronic Data stored within that Computer System)]; and/or
B. a Negligent Act Requirement [a requirement in an Underlying Policy that the event, action or conduct triggering coverage under such Underlying Policy result from a negligent act, error or omission].
DIC Coverage
“Traditional” Coverage?
• Directors' and Officers' (D&O)
• Errors and Omissions (E&O)/Professional Liability
• Employment Practices Liability (EPL)
• Fiduciary Liability
• Crime
• Retail Ventures, Inc. v. National Union Fire Ins. of Pittsburgh, Pa., 691 F.3d 821 (6th Cir. 2012) (DSW covered for expenses for customer communications, public relations, lawsuits, regulatory defense costs, and fines imposed by Visa and Mastercard under the computer fraud rider of its blanket crime policy)
• Property
• Commercial General Liability (CGL)
“Traditional” Coverage?
• Coverage B Provides Coverage for Damages Because of “Personal and Advertising Injury”
• “Personal and Advertising Injury”: “[o]ral or written publication, in any manner, of material that violates a person's right of privacy”
– What is a “Person's Right of Privacy”?
– What is a “Publication”?
– Does the Insured Have to “Do” Anything Affirmative and Intentional to Get Coverage?
• Coverage A Provides Coverage for Damages Because of “Property Damage”
• “Property Damage”: “Loss of use of tangible property that is not physically injured”
“Traditional” Coverage?
“Traditional” Coverage?
“Traditional” Coverage?
ISO states that “when this endorsement isattached, it will result in a reduction ofcoverage due to the deletion of an exceptionwith respect to damages because of bodilyinjury arising out of loss of, loss of use of,damage to, corruption of, inability to access, orinability to manipulate electronic data.”
“Traditional” Coverage?
“Traditional” Coverage?
“Traditional” Coverage?
cv
cv
“Traditional” Coverage?
– Zurich American Insurance Co. v. Sony Corp. of America et al.
“Traditional” Coverage?
The Risk Manager's Perspective
32
Workers' Compensation vs. Cyber
Coverage for 100 + years Cyber more than 2X the hits
Google Search On Insurance Coverage
B-21 Bomber Program – US Airforce
-The common denominator: data was taken without permission. Across various industries…..
• Hackers breached the systems of health insurer Anthem, Inc., exposing nearly 80 million personal records.
• Perhaps 2015's most high-profile hack was on Ashley Madison,the adultery website that promised its members discrete affairs.
• An unknown group infiltrated hundreds of banks in multiple countries, swiping somewhere in the neighborhood of $1 billion.
• The controversial cybersecurity group Hacking Team got hacked,revealing that it was providing tools to repressive governments to spy on their own citizens.
• Hackers gained access to unclassified White House systems in 2014, but the nature of the hack got way worse as new details emerged this year.
• About 15 million T-Mobile customers had their information stolen after the credit-checking company Experian was breached.
• CIA Director John Brennan had his personal email hacked, which had sensitive personal documents in it.
• A breach of children's toy manufacturer VTech resulted in the release of records on 4.8 million parents and more than 6.8 million kids.
• The US government agency in charge of background checks was breached, exposing information on virtually every federal employee since the year 2000.
Source: The Tech Insider ttp://www.techinsider.io/cyberattacks-2015-12?op=134
…Are You Able to Escape Being Hacked
Sourcre: http://deloitte.wsj.com/riskandcompliance/2016/02/22/sharpening-the-boards-role-in-cyber-risk-oversight/
Cyber at Board Level
• In Placing Coverage:
• Determine the Need for Coverage
• Risk Assessment – Involve the Proper Resources (CSIO, CIO, Internal Legal)
• Review the Extent of Coverage Under Existing Policies and Align with Cyber
• Property, D&0, Fiduciary, Fidelity, CGL/Excess
• Engage a Knowledgeable Broker and Outside Counsel
• Research, ask questions and benchmark
• Execute Non-disclosure Agreements with Potential Insurers
• Conduct Open Discussions to Complete an Extensive Application
• Protect the Data Provided to Underwriters
• Conduct Meetings with Potential Underwriters
• Advise Senior Management
• Review Retro Date Logistics
• Beware of Acquisitions, Divestitures and Corporate Separations
• Length of Time for Placement- Renewals Are Quicker
The Role and Perspective of The Risk Manager
• What is at Risk?
• Banks/financial institutions
• Health care
• Education
• Government
• Insurers
• Retailers
• Energy Production/Pipelines/Grid
• Utilities
• Transportation – Airlines/Rail
• Law Firms
• And Personally
• Manufacturing
• Business interruption
• IP
• Third party- IP Customer data, drawings
• Reputation
The Role and Perspective of The Risk Manager
The Insurer's Perspective
Coverage!
- Cyber!- Property
- Fidelity & Crime
- D&O, E&O, EPL…
- Etc.!
Underwriting!
New, & Or, Improved!
The Broker's/Intermediary's Perspective
• Risk Aggregation
• Actuarial Data – How To Price Risk.
• A “Static” Underwriting Process That Must Tackle A “Dynamic” Risk.
• Limited Capacity
• Limited Ability To Cover All Corporate Assets
Major Challenges to the Insurance Marketplace in 2016
• Aggregation refers to the consequences of concentrated and cascading cyber risks where key aggregation attributes such as internet failure, compromised service providers, or a number of companies in the same (or different) sectors using the same IT system where something happens to that system and affects all of the companies in that industry.
• As cloud computing becomes more ubiquitous, one successful attack or the failure of a cloud host could cause losses to thousands of parties who hold their data within the cloud.
Risk Aggregation
• A lack of sufficient metrics with respect to frequency and severity of loss, not just to PII, PHI and IP, but also to physical assets as a result of cyber events makes pricing risk a challenge.
• The evolving nature of the threat (DDoS, APT, Ransomware) and the environment (virtualization, the Internet of Things, and the Cloud), compounds the problem of developing accurate actuarial data.
• Fundamentally, insurers look for a strong security culture within the company as a first step in risk triage. Additional factors such as industry, revenue size, geography, and actual assets at risk contribute to how risk is priced.
A Lack of Actuarial Data
• Intellectual Property Assets
• Theft of one's own corporate intellectual property (IP) still remains uninsurable today as insurers struggle to understand its intrinsic loss value once compromised. The increasing difficulty in simply detecting an attack and, unlike a breach of PII or PHI, the frequent lack of a legal obligation to disclose, suggest that a solution is not in the immediate future.
Beyond Privacy -What Does Cyber Insurance Not Cover?
• Ambiguity Reigns!
• Cybersecurity is no longer just about risks to information assets. A cyber attackcan now cause property damage that also could lead to financial loss from business interruption as well as liability from bodily injury or pollution, for example. Understanding where coverage lies in a corporate insurance policy portfolio is challenging and, at times, ambiguous. An assumption that coverage should rest within a property or terrorism policy may not be accurate. Exclusionary language has begun to emerge and is expected to accelerate across the marketplace as losses occur. Dedicated products also have started to appear.
Beyond Privacy - Are Physical Assets Covered?
• INSTITUTE CYBER ATTACK EXCLUSION CLAUSE - CL380
• 1.1 Subject only to clause 1.2 below, in no case shall this insurance cover loss damage liability or expense directly or indirectly caused by or contributed to by or arising from the use or operation, as a means for inflicting harm, of any computer, computer system, computer software program, malicious code, computer virus or process or any other electronic system.
• 1.2 Where this clause is endorsed on policies covering risks of war, civil war, revolution, rebellion, insurrection, or civil strife arising therefrom, or any hostile act by or against a belligerent power, or terrorism or any person acting from a political motive, Clause 1.1 shall not operate to exclude losses (which would otherwise be covered) arising from the use of any computer, computer system or computer software program or any other electronic system in the launch and/or guidance system and/or firing mechanism of any weapon or missile.
Emerging Cyber Risk Exclusions
• The threat landscape is now such that a prevention strategy only is outdated.
• Expect that your network has already been compromised and build resilience to minimize the size of the impact.
• People, Processes and Technology. The Board is now a major stakeholder. This is an enterprise risk and no longer sits only with the IT Department.
• Insure residual risk
The Underwriting Process - A Change in Approach
NIST FrameworkLaunched February 2014• The NIST Framework provides a
common language and mechanism for organizations to:
• Describe current cybersecurity posture
• Describe target state for cybersecurity
• Identify and prioritize opportunities for improvement within the context of risk management
• Assess progress toward the target state
• Foster communications among internal and external stakeholders.
filepath...
Technology and Insurance Converge
• A number of technology product and service companies are joining the market to try to support the risk assessment process for cyber insurance.
• Insurers and brokers are starting to invest in predictive analytics capability based on both internal and external data.
• Ability to price risk more accurately will accelerate the growth in market capacity.
filepath...
The Future of Cyber Insurance?
• Will continuous monitoring and risk scoring will be the new norm? This is the process of maintaining real time awareness of security threats and vulnerabilities that support organizational risk management decisions?
• Will premium and rates vary on a monthly, weekly, daily, or even hourly basis predicated on dynamic threat and vulnerability environment?
• Underwriters will continue to establish new relationships with security product vendors.
filepath...
The Public Policy Debate – The Driver
• Market Incentives versus Regulation
• Legislators are giving greater prominence to the role of cyber insurance. The failure to pass laws to drive stronger enterprise security has demonstrated the challenges in trying to enforce minimum standards. There is growing support for market-based incentives such as insurance that can reward strong Cybersecurity through discounted premium or broader coverage.
filepath...
Outside Counsel's PerspectiveClaims and Coverage Trends
• Legacy Policy “Cyber” Decisions
• Hartford Cas. Ins. Co. v. Corcino & Assocs., No. CV 13-3728 GAF (JCx), 2013 WL 5687527 (C.D.Cal. Oct. 7, 2013)
Medical information was posted to a public website. Patients sought statutory damages under the California Confidentiality ofMedical Information Act and the California Lanterman Petris Short Act. The insurers denied coverage under an exclusion for“Personal And Advertising Injury... [a]rising out of the violation of a person's right to privacy created by any state or federalact.” Held: the remedies sought were for breaches of privacy rights that were not 'created by any state or federal act,'” butwhich exist at common law and CA Constitution.
• Rvst Holdings, LLC v. Main St. Am. Assur. Co., 136 A.D.3d 1196 (N.Y. App. Div. 2016)
The insured's customers' credit card data was compromised and it was sued by a financial institution. Held: there was noduty to defend or indemnify because the policy stated that “electronic data is not tangible property” and excluded “damagesarising out of the loss of... electronic data.”
• Travelers Indem. Co. v. Portal Healthcare Solutions, LLC, No. 1:13-cv-00917-GBL-IDD (E.D. Va.Aug. 7, 2014)
The insured allegedly failed to safeguard medical records from being viewed on a public website. Held: there was“publication” because the records were “place[d] before the public.” (The court rejected the insurer's arguments that therewas no coverage because the insured took no steps designed to disclose or publish the information and there was noevidence it was viewed by any third party.)
• Recall Total Info. Mgmt., Inc., v. Federal Ins. Co., 115 A.3d 458 (Conn. 2015)
Insured transport vendor allegedly lost data tapes containing sensitive data on a large number of employees. Held: no“publication” absent evidence that information on the tapes was ever accessed, noting that the communication of informationto a third party was required to trigger coverage.
• Zurich Am. Ins. Co. v. Sony Corp. of Am., No. 651982/2011 (N.Y. Sup. Ct. Feb. 21, 2014)
Claims and Coverage Trends
Claims and Coverage Trends
• “Cyber” Insurance Lawsuits
• Columbia Cas. Co. v. Cottage Health Sys., No. 2:15-cv-03432 (C.D. Ca., filed May 7, 2015).
The insured suffered a data breach resulting in the release of electronic private healthcare information ofover32,000 patients. CNA funded a $4.125 million settlement subject to a reservation of rights and deniedcoverage. CNA claimed that it was not obligated to defend or indemnify the insured based on (1) anexclusion entitled “Failure to Follow Minimum Required Practices,” for “[a]ny failure of an Insured tocontinuously implement the procedures and risk controls identified in the Insured's …”' and (2) themisrepresentation defense. The case is being mediated.
• New Hotel Monteleone, LLC v. Certain Underwriters at Lloyd's of London, No. 15-11711 (La.Civ. Ct., filed Dec. 10, 2015), removed to 2:16-cv-00061 (E.D. La. Jan. 5, 2016).
The insured sought coverage for financial losses, including investigation costs and compensation to financialinstitutions, for fraudulent charges after credit and debit card numbers were obtained. The insurer claimedthat only a $200,000 sublimit was available, rather than the full $3 million full policy limit. The case has beenstayed pending arbitration.
• Spec's Family Partners, Ltd. v. The Hanover Ins. Co., No. 4:16-cv-438 (S.D. Tx., filed Feb.19, 2016).
The insured retailer was the victim of two attacks on its computer systems. Credit card issuers made liabilityassessments against the insured in the amount of approximately $9.5 million, and the insured's paymentprocessor improperly withheld approximately half that amount from the insured's accounts. The insured suedits processor, but the insurer refused to cover those litigation costs despite having entered into a defensefunding agreement with the insured for claims relating to these cyberattacks.
Claims and Coverage Trends
• Claims Are Being Denied Based Upon:
• Procedural Reasons
• Including Typical Coverage Denial Reasons Such As:
• Purported Late Notice
• Purported Lack Of Cooperation
• Insufficient Sublimits
• No Retroactive Date
• And Substantive “Cyber” Insurance-Related Reasons Such As:
• Exclusions Relating To Purported Failings in Cyber Security, e.g., Negligence
• Purported Misrepresentations/Omissions in the Application for Insurance
• The Covered “System,” “Network,” “Wrongful Act,” or “Security Failure,” Etc., May Not be Broad Enough to Meet the Newer Reality of Risk, e.g., Social Engineering/The Human Factor
• The Definition of Business Income Loss Does Not Extend to System Degradation (As Opposed to a Complete Outage)
Claims and Coverage Trends
Outside Counsel's PerspectiveNegotiating Better Coverage Before a Claim And Avoiding Coverage Pitfalls
klgates.comback
REMEMBER THE SNOWFLAKE
klgates.com
Vendors
68
POLICY EXAMPLE 1
POLICY EXAMPLE 2
70
POLICY EXAMPLE 2
Social Engineering
72
POLICY EXAMPLE 1
The “Cloud”
POLICY EXAMPLE 1
POLICY EXAMPLE 1
POLICY EXAMPLE 2
POLICY EXAMPLE 2
POLICY EXAMPLE 3
POLICY EXAMPLE 3
Business Income Loss
POLICY EXAMPLE
Remember the Cyber Misnomer
84
POLICY EXAMPLE 1
POLICY EXAMPLE 1
POLICY EXAMPLE 2
POLICY EXAMPLE 2
A Look At ExclusionsThe Tailorable
POLICY EXAMPLE
Any member of the “Control Group.” e.g., CEO, CFO ,RM, CRO, CIO, GC
A Look At ExclusionsThe Unacceptable
POLICY EXAMPLE
Cyberterrorism
POLICY EXAMPLE 1
POLICY EXAMPLE 2
POLICY EXAMPLE 3
The Importance of the Retroactive Date
Request a “Retroactive Date”
of at Least a Year
REMEMBERING THE SNOWFLAKE
• Embrace a Team Approach
• Understand the Risk Profile
• Review Existing Coverages
• Purchase Appropriate Other Coverage
as Needed
• Remember the “Cyber” Misnomer
• Spotlight the “Cloud”
• Remember the Retro Date
• Selection of Counsel and Vendors
• Engage a Knowledgeable Broker and Outside
Counsel
• Carefully Review the Application
Best Practices Checklist
BEWARE
THEFINE
REMEMBER THE DEVIL IS IN THE DETAILS
104klgates.com
MIND
THE
GAPS
105klgates.com
106klgates.com
“A well-drafted policy will
reduce the likelihood that
an insurer will be able to
avoid or limit insurance
coverage in the event of a
claim.”
107klgates.com
Roberta D. Anderson, Partner, K&L Gates LLP (April 13, 2016)
In the Event of a Claim
• Include notification to insurers as part of incident response plan
• Most cyber policies impose time restrictions regarding notification of cyber incidents (e.g. network attack, data breach, extortion threat, network interruption) and third party claims to insurers
• Specified time limit, “immediately” or “as soon as practicable”
• Compliance with notice provisions essential to avoid potentialcoverage denials
klgates.com 109
Notice
• Many cyber policies provide for notification of circumstances which may or are likely to give rise to claim or loss
• Can prove beneficial to insured as operates as extension of cover
• Crystal ball gazing: real risk of a claim or loss
klgates.com 110
Notice of Circumstances
• Many cyber policies provide for insured to co-operate with insurer in defense and settlement of any claims
• Many policies silent as to choice of law firm or provide for insurer panel firms
• Consider reserving right to appoint own choice of law firm or agreeing up front
• Selection of defence lawyers important in cyber context
• Many claims require specialist defence counsel with particular experience in this area
klgates.com 111
Cooperation Clause
