TECHNOLOGY CORNER
TECHNOLOGY CORNER
ROBERT W . WILKINS
Four Tips to Avoid Denial of Cyber Insurance Coverage for a Data Breach
Steps to take now to be sure you and your clients are covered by your cyber liability insurance .
Most law firms and clients have cyber liability insurance . Cyber insurance policies provide broad coverage for cyber extortion , data restoration , public relations , computer fraud , business interruption , regulatory compliance , and related risks . However , having coverage is one thing ; keeping it is another . The coverage under a policy depends on the representations the insured makes in its application and its subsequent compliance with them . One of the biggest reasons for coverage denial are misrepresentations , omissions or incorrect statements in the insured ’ s application for the policy , or the failure to notify the insurer of any material changes in its security practices .
A typical application for cyber liability insurance will contain a privacy and security liability questionnaire , as well as a section on information security . According to an August 2022 Fitch Ratings Report , some of the key items insurance providers require for coverage include the use of multifactor authentication , employee training on phishing and other types of cyberattacks , strengthof-password requirements , regulatory reporting obligations , as well as an assessment of the quality of the insured ’ s incident-response plan and penetration testing . The insured ’ s compliance with the requirements is required to keep the coverage .
The Hole in the Cyber Insurance Net
There is a hole in the cyber insurance net that stems from the insured ’ s inadvertent ( hopefully not intentional ) failure to understand its security measures and maintain them throughout the life of the policy . Unfortunately , too many insureds — law firms included — do not have a written information security policy ( WISP ) that sets forth the procedures for evaluating its electronic and physical methods for accessing , collecting , storing and protecting its data . Unless you know what you have and where it is located , it ’ s hard to know what you need to protect .
An insured ’ s failure to fully understand its data security practices and procedures can lead to material misrepresentations , omissions , and incorrect statements in the application for insurance . The consequences of misstatements or omissions in the policy application cannot be understated . Unfortunately , one business that had a large data breach suffered those consequences when it was denied coverage and had its policy rescinded .
In Travelers Prop . Cas . Co . v . Int ’ l Control Servs ., Inc ., 2:22-cv-02145 , complaint filed , 2022 WL 2532994 ( C . D . Ill . July 6 , 2022 ), Travelers sought to rescind its cyber liability coverage of the insured , International Control Services ( ICS ), because of material misrepresentations allegedly made by the insured in connection with its application for the policy . The insured had represented that “ to the best of [ its ] knowledge and belief , and after reasonable inquiry , the statements provided in response to this Application are true and complete … . ( Id .). Travelers ’ success in rescinding the policy was based on the fact that ICS , in its policy application , stated ( and signed a separate attestation ) that it required multifactor authentication to gain administrative access to its data . Upon investigation , Travelers determined that ICS misrepresented the scope of its authentication process , resulting in the breach . The parties agreed to rescind the policy and the lawsuit was dismissed with prejudice by a stipulated order .
The Travelers case clearly establishes the consequences of an insured ’ s failure to follow the policies and procedures claimed in its application . In fact , most insurance policies have a specific exclusion that precludes coverage for claims arising from the policyholder ’ s failure to maintain adequate security standards . As a result , insureds must regularly monitor , update , and test all cybersecurity requirements mandated in their policy .
The increase in data breaches , the costs resulting from them ( which can include potential criminal and regulatory liability ), the security measures and representations required by some law firm clients ( banks
in particular ) and insurance companies ,
PBCBA BAR BULLETIN 25 and the need to stay abreast of constantly changing threats , demand that law firms ( and their clients ) implement and closely monitor cybersecurity policies and practices . Best practices require at least an annual review of the written information security policies and practices .
Cybersecurity Checklist
Read your cybersecurity insurance policy application and representations to confirm each representation is accurate .
• Update your policies and practices to stay on top of changes and innovations in data security .
• Train and test your employees in data security practices and potential breaches , especially phishing schemes .
• Keep an open line of communication with your insurance provider and follow its recommendations regarding cybersecurity . Consider having an outside vendor run penetration tests of your data security systems .
The bottom line : date breaches may be inevitable , but diligence and preparation can mitigate both their financial and reputational impact .
© 2023 Reprinted with permission by the American Bar Association . This article was first published by the ABA Section of Litigation ’ s Commercial and Business Litigation Committee in January 2023 .
Jones Foster Shareholder Robert W . Wilkins is Chair of the Litigation & Dispute Resolution Practice Group and is Board Certified by The Florida Bar in the areas of Business Litigation and Civil Trial . Rob represents and counsels clients in complex business litigation matters , including e-discovery and data privacy issues . He serves as Co-Chair of the Data Security Subcommittee and the E-Discovery Subcommittee of the ABA Section of Litigation ’ s Commercial and Business Litigation Committee ( CBL ) and is a past chair and member of the PBCBA Technology Committee .