Last Updated on July 8, 2022
The cyber liability insurance marketplace is going through some major shifts, characterized by much higher premiums, more restrictive policy terms, tougher underwriting scrutiny and intensified pushback on claims.
This evolving scenario amplifies the need to proactively review and position your cyber liability insurance coverage relative to other policies, such as crime insurance and Directors & Officers (D&O) insurance.
To give SMB leaders clear and comprehensive advice on navigating today’s cyber liability insurance concerns, Eric Jesse, Partner at Lowenstein Sandler LLP, joined a recent episode of The Virtual CISO Podcast. John Verry, Pivot Point Security CISO and Managing Partner, hosts the show as usual.
Mind the gaps
If you don’t review cyber insurance alongside related policies that might also be invoked in the event of a cyber incident, you could end up with unanticipated coverage gaps that expose you to unacceptable risk.
Eric explains: “The starting point is really to make sure that a company has the right insurance program in place. So, they have a cyber policy. Good. Do they have a D&O policy? Good. Do they have a crime policy? Good. Do they have a professional liability policy? Good. Those are things we want to just make sure companies have as a starting point.”
Sweat the details
“At that point you want to drill down a little bit,” continues Eric. “You need to make sure that you have that panoply of coverage because a cyber incident can implicate multiple different types of coverage. For example, you’re going to look to your cyber policy to respond to the third-party claims brought by the employees or the consumers whose data has been lost or stolen.”
In addition, for public companies there could be shareholder lawsuits brought against the board alleging that the board didn’t exercise proper oversight or didn’t make sure the right cybersecurity controls were in place. Therefore, the stock price went down and the value of company was harmed as a result. At that point, you’d be relying on your D&O insurance policy.
“That’s part of the reason why you need—as a starting point—to make sure that program or those programs exist,” Eric emphasizes. “Then, in the cyber context, you need to make sure that policy has the right coverages because for companies that provide professional or technology services, you can get coverage for that risk in a cyber policy. Companies that have media liability exposure can get coverage for that in a cyber policy.”
Crime insurance is another core policy most organizations need.
“Crime insurance can be a little tricky,” Eric acknowledges. “Companies should have a crime policy, for sure. But in my experience, when a crime insurer has been faced with a cybercrime claim, like a fraudulent instruction or social engineering claim where you have this threat actor pretending to be the CEO of the company and pretending to email an employee to wire funds… That [theoretically] can be covered under a crime policy, but crime insurers in my experience just resist covering those [scenarios].”
Eric recommends that companies try to get cybercrime coverage added to their cyber liability insurance policy, because claims handlers in that area are more accepting of those claims.
“They have the right mindset to try and provide coverage,” Eric clarifies.
What about personal liability for business leaders?
John asks, if a company was deemed negligent following a breach and didn’t have appropriate D&O coverage, could an action end up “piercing the corporate veil” and creating personal liability for owners and/or directors?
“Let’s say that you’re an owner of an organization, and you fail to put the proper information security controls in place,” John hypothesizes. “Then there’s a giant breach. Could the owner of said company end up in a situation that breaches the corporate veil, and they’d have some personal liability?”
“I think that scenario is always out there,” Eric advises. “I know that piercing the corporate veil and these alter ego claims are often going to be very fact sensitive. So that’s just going to depend on how is that company being run. But that can be one of the beauties of a D&O policy, for example, where that policy is designed to cover directors and officers. So, if that corporate veil is pierced, to go after the directors or officers directly, you can look to that D&O policy.”
Likewise, most cyber liability insurance policies don’t just cover the company, but also the directors and officers and employees who may be negligent. However, this generally doesn’t apply to someone “going rogue” and committing blatant crimes.
To tune in to this business-level legal discussion with Eric Jesse, click here.
How is cyber liability insurance intended to mitigate risk? This blog post will give you a view: 80/20 Cyber Security, Part 4—The 3 “Damage Control” Controls