By Dudley Kneller, Partner, Madgwicks Lawyers, Melbourne, Australia
In-house counsel are often charged with the task of assisting their business to put in place effective insurance arrangements. Whilst the in-house community will be fairly comfortable with the requirements relating to public liability and professional indemnity insurance policies, cyber risk is another matter entirely.
With increasing awareness of cyber security risk issues there is now a vast array of information available which provides organisations with advice on how best to combat cyber security breach events. There is, however, little information on cyber insurance products and whether they should form part of an organisation's cyber risk mitigation strategy.
So with an increasing number of organisations looking to take up cyber insurance as part of a broader cyber security strategy, there are some key issues for in-house lawyers to bear in mind. If called upon to assist your business with its cyber risk policy requirements, make sure you ask your insurer the following:
1. What are the minimum technology security requirements expected under this policy?
Often policies will impose minimum technology security requirements before offering any sort of coverage. Your organisation can expect to be qualified by the insurer who will want to confirm "adequate" technology security controls are in place to begin with. If they're not up to scratch your application will likely be refused.
Insurers and brokers are often a good source of information and best practice. Ask your broker if they can refer experts who can assist with putting in place adequate security protocols, cyber compliance programs or undertake testing to assist an organisation to get up to speed.
2. Are there any additional measures you can put in place to reduce your premium?
It may be worth considering putting advanced security measures in place to give the insurer additional comfort and more importantly reduce your organisation's premium. Your broker or insurer can advise on some "quick wins". Ultimately however, your organisation will need to weigh up the reduced premium against the cost and additional time and resources involved in implementing such measures.
3. What ongoing audit and compliance obligations are required?
Most policies will require some form of regular audit as well as ongoing compliance reporting for the policy to remain current. Some insurers reserve the right to audit systems and security protocols that are in place. It is important that you and your team fully understand and can plan for these activities, as failure to meet the expected requirements may mean your organisation's policy will not respond when it needs to.
Be careful too with agreeing to audit rights which are overly burdensome. Whilst it may be reasonable for your insurer to request such a right, make sure there are some reasonable parameters in place. Limit the audit right to once per annum if you can, push for the audit to be undertaken by an independent expert rather than the insurer and make sure the auditor is required to comply with your organisation's reasonable directions and applicable company policies and procedures.
4. How do response and management protocols affect insurance obligations?
Ensure you have clear response and management protocols, and that they are well understood by all relevant stakeholders. As part of putting arrangements in place you may be required to draft an appropriate data breach plan and ensure it is effectively implemented throughout the organisation.
In the event of a security breach incident it is important you understand how the breach ties in with any existing insurance obligations. Even with all your policies and procedures in place, if they are not properly followed in the event of a claim this may be the difference between the policy responding or not.
5. What is the minimum downtime before the policy will respond?
Beware policies which only respond after a minimum downtime period. Cyber security breach events once triggered happen extremely quickly. If you have to wait 12 or 24 hours before calling on the policy to assist - it may be too late. Whilst your organisation may have to pay extra for a reduced period it might be worth it in the end.
6. How will the policy and its scope evolve over time?
Technology is evolving so fast and hackers are generally at the forefront, picking up on new vulnerabilities and opportunities to ply their trade. You need to understand how the policy evolves over time to pick up and include additional risks as they become apparent. Is this something the insurer addresses once a year or is it ongoing?
You also need to understand if these updates will result in a change in coverage and consider any additional costs that might be associated with amending the scope as well as any new exclusions which come with such changes. Ask your insurer if there are likely to be any changes which may affect your organisation's risk profile.
Finally, beware any overlaps, but more importantly "gaps" between policies which will leave the organisation exposed.
7. What is the impact of a breach on your premiums?
Understand the impact of a breach on premiums and any additional obligations which are likely to be imposed in the event a claim is made. Are there any benefits in not making a claim - will this reduce the premium at all?
8. Does the insurer understand your industry and its regulators?
Confirm the insurer understands your organisation's industry and any unique regulatory requirements which may apply. If an organisation is in a regulated space, it will be having ongoing discussions with its main regulators to make sure it is aware of any relevant standards or other best practice which a regulator expects to be covered off.
Brokers and insurers that claim to have particular experience in an industry should be doing the same to ensure they factor in "nuances" which may affect the policy.
9. What is the timeframe in which you must report a breach in order to benefit from your policy?
Often breach events take months or in some cases years to discover. It may well be that by the time the breach is discovered, there is a reporting period exemption that affects your organisation or the policy has expired. Some insurers will allow organisations to pay an "optional extended reporting period premium" to provide additional time in which they can notify of a claim arising during the period of the policy. This optional period is generally no more than 12 months however, so may not pick up on these "sleeper" events.
10. What regions/territories are you covered in and any final considerations?
Insurers will typically not provide insurance cover for any action for damages brought in a court outside the policy's specified territories. It is therefore crucial to ensure any territory limitations which may apply to a policy are considered and additionally, how claims affecting business conducted outside of Australia, will be impacted.Finally carefully consider the policy terms and conditions. This generally goes without saying but "the big print giveth and the small print taketh away".
What many organisations fail to realise is that there is room to negotiate on these issues - both the big and small print. As in-house counsel, whilst this area may not be "business as usual" for you if you arm yourself with the right questions and do a little homework beforehand you will be well placed to successfully navigate the cyber insurance conversation with you're your internal stakeholders in the business as well as external brokers and cyber insurers.
Additional Resources
Data breach notification - A guide to handling personal information security breaches
Once More Unto the Breach: Why and How to be Ready for a Data Breach