Understanding the Scope of a Cyber Liability Policy

The following is a discussion between IRIS Contributor A ndrew J. Fotopulos and E.J. Yerzak is Vice President of Technology at Ascendant Compliance Management, Inc., a regulatory compliance consulting firm which performs risk assessments, annual reviews, due diligence reviews, and Information Technology Risk Assessments for investment advisers, broker-dealers, and advisers to private funds.

Yerzak: Are regulatory defense costs, fines, and penalties covered under a Cyber Liability Policy?

Fotopulos: The answer is case by case or policy by policy. However, the majority of policies provide coverage for defense costs and fines/penalties for violations of privacy regulations, including the Identity Theft Red Flags Rule.

Yerzak: Is there first party coverage (financial harm to you, the insured financial institution) or third party coverage (damages to others based on your actions or inaction)? What about coverage for external hackers, coverage for malicious insiders, or inadvertent breaches by employees?

Fotopulos: Again, this is a (insurance) policy by policy consideration when determining which insurance protections to purchase for your firm. The policies for Cyber Liability are not generic and are ever evolving. Another issue to consider when deciding among policies is what coverage may already be in place under other insurance policies such as a Fidelity Bond or D&O/E&O Liability policy as to whether you need these coverages under your Cyber Liability Policy. For instance, the primary intent of a Fidelity Bond or Commercial Crime Policy is to protect your firm against financial loss due to a dishonest act of an employee. The D&O (Directors & Officers Liability) policy is designed to protect your firm against loss for issues such as lack of due diligence or breach of duty by your firm and its employees. In other words, what due diligence have you done to ensure that your clients’ personally identifiable information is secure with the vendors or independent contractors utilized?

Yerzak: What minimum insuring agreements should be included?

Fotopulos: Again, this is a factor influenced by the existence of other insurance contracts you may have in place. Some of the basic insuring agreements under a Cyber Liability Policy include Network Security & Privacy, Breach Response Costs, Network Asset Protection, Reputational Expense, Regulatory Defense & Penalties, Multimedia Insurance, as well as Cyber Extortion and Cyber Terrorism. Buyer beware, all insurance policies have an “other insurance” provision within the policy that states that their policy may not apply or only apply as excess to any other collectible insurance policy. Coordinating coverage can prevent disputes among carriers.

Yerzak: Does the adviser need to encrypt everything in order to be approved for a policy?

Fotopulos: Whether the insurance policy itself goes into “encryption” requirements or not, every policy has what we refer to as the “Uniform Commercial Code” Exclusion. Common policy language states, there is no coverage for loss based upon, arising from, or in any way involving the actual or alleged government enforcement of any state or federal regulation including, but not limited to, regulations promulgated by the United States Federal Trade Commission, Federal Communications Commission, etc. Article 4A, under the Uniform Commercial Code requires encryption when it comes to Wire Transfers.

Yerzak: Generally, who should report a cybersecurity incident to the carrier, and what is the timing for such reporting?

Fotopulos: There is no standardized wording but the more narrow the definition of “who becomes aware of the situation” before the reporting requirement kicks-in, the better. Some policies state that you have to report within 60 days when an employee becomes aware of the event that may cause a loss. If the event is not immediately brought to the attention of the person familiar with the insurance policy requirements, policy provisions may be violated thus void coverage. Other insurance policies state that the Risk Manager, General Counsel, or a senior officer or director of the firm must first become aware of the event before the reporting provision clock starts ticking. This is also where your firm's Written Policies and Procedures’ escalation requirements need to be coordinated with your insurance policy reporting provisions. Coverage for forensic investigation and data breach notification costs are essentials when purchasing a Cyber Liability Policy, but you need to be aware of whether or not the limits are within or in addition to the policy limit of liability. Specific to data breach notification, there may be restrictions in terms of the number of individuals, records or a sub-limit of liability that applies.

Yerzak: Are policies calculated based on number of clients, number of records, number of employees, type of data?

Fotopulos: The insurance industry has not come-up with a unified method of determining the cost for this policy. Employee count, records, transactions, and annual revenues are some of the various factors insurer’s utilize to rate a risk. The key is coordinating your various insurance policies to ensure you have the right protection for your unique risk and that the firm’s Written Policies and Procedures are coordinated with your insurance policies. Due diligence is a continuous process and needs to be performed at many and various levels not only to properly protect your firm but you as CCO.