Cyber risks evolve in changing claims landscape

PHILADELPHIA – Cyber risks are evolving, with claims often spanning multiple policies and triggering both first- and third-party coverage, a panel of experts said.

Policyholders should prepare in advance to ensure that they are well-placed to manage claims when they occur, they said during a session at the Risk & Insurance Management Society’s Riskworld conference.

“The cyber policy is constructed in a series of insuring agreements, and they fall into two buckets. They’re either first-party or third-party coverages,” said David Finz, senior vice president at Alliant.

First-party coverage is designed to reimburse an organization’s own costs in responding to an incident, such as legal advice, notification expenses and credit monitoring, even when those actions benefit affected customers, he said.

Third-party losses involve defense costs, settlements and regulatory penalties arising from allegations that security failed or that privacy laws were violated, Mr. Finz said.

“Historically, most cyber claims lived and died in the first-party arena. We are finding now that more and more of them are morphing into third-party claims,” he said.

But cyber losses can fall under multiple policies, he said. For example, social engineering losses may trigger both cyber and crime policies, while disclosure issues can lead to directors and officers liability claims tied to investor losses.

Companies should consider using the same insurer for cyber and professional liability risks to avoid disputes over which policy responds, said Michael Santocki, risk manager for law firm Jackson Lewis.

“I use the same carrier for both. I don’t want a headache,” he said. When different insurers are used, endorsements should clearly specify which policy responds first to prevent conflicts between insurers, he said.

Cyber liability case law is evolving, with several decisions favoring policyholders, said Peter Halprin, a partner at Haynes Boone.

One involved fraudulent vendor payments, in which a court found that ambiguous policy language should be interpreted broadly in favor of coverage, allowing a third-party claim to proceed. Another involved business interruption losses, where courts examined whether customer incentives and other mitigation efforts qualified as covered expenses.

“You are allowed to go out and do things to mitigate your damages, and if it’s a proper mitigation step, then you are entitled to coverage,” Mr. Halprin said.

Purchasing cyber insurance can be a risk management exercise in itself, said Mr. Santocki.

“Use the application as a stress test for your systems,” he said.

Organizations should also build relationships with brokers, underwriters and response vendors in advance and ensure legal, forensic and other partners are approved and ready to act when needed, speakers said.

“If you have a breach, and everybody is going to have a breach one day, you’ve got hours maybe, to get the show running,” Mr. Santocki said.