Coverage as complex as technology
There is a wide range of insurance products within the generic umbrella of Technology or Cyber Risk insurance. Some policies provide first-party coverage that insures covered losses backed directly by you, the policyholder. Other variations provide coverage that includes losses to third parties: your customers. Professional liability insurance is the most important insurance requirement built into every IT service contract. Menu-based policies allow selection between coverage modules to better match coverage to the IT company’s specific business exposures. Because this is arguably the most important insurance you’ll ever buy, it’s important not to approach buying this insurance like a commodity. All policies are not created equal. Investing time to compare available coverage options and policy limitations is essential to ensure that your business receives adequate liability protection.
Exclusions – A good place to start to understand what your policy covers.
Being clear about what your Cyber Risk policy does not cover is as important as understanding what it does cover. Some of the notable exclusions to the coverage contained in the Cyber Risk policies are summarized below. It is important to note that the exclusions of a policy do not always appear in the Exclusion section. Many insurance policies often incorporate coverage limitations in other parts of the policy, such as within the Definitions section. Similarly, policy exclusions sometimes contain carve-backs or exceptions to the exclusion that typically make a portion of an exclusion inapplicable, extending coverage in specifically defined circumstances.
Some typical exclusions are:
• Claims that involve the withdrawal, replacement, repair or supplementation of the Insured’s product or service.
• Complaints alleging software failures involving software that is in a test phase or not in general commercial release.
• Claims for fee disputes.
• Claims for electrical, mechanical or telecommunications failures or interruptions, unless the failure was caused by illegal acts covered by the Insured.
• Claims alleging invalidity, misappropriation, or infringement of a patent, trade secret, copyright, trademark, or service mark, unless arising out of electronic publishing activity.
• Certain proceedings initiated by federal, state, or local government agencies, licensing authorities, or rights organizations, except for claims related to privacy or network security.
• The claims that allege the unauthorized collection of personal data of third parties with the knowledge of the main partner, director or official of the Insured are attributed to other Insured and/to the entity.
Readers should not get the impression that these policies do not cover much. Quite to the contrary, these insurance policies provide very broad and valuable coverage. The definition of “unlawful act” found within one of the most prominent cyber risk policies states: “…means any error, misrepresentation, misleading statement, act, omission, negligence, breach of duty, or crime of personal injury actually or allegedly committed or attempted by any Insured in their capacity as such:” That clause is followed by a litany of coverage triggers including, but not limited to: “failure of the Insured’s Technology Services, Technology Products, exposure to Electronic Media, disparagement of product, trade libel, public disclosure of private facts, plagiarism, hacking, copyright and domain name infringement, service mark infringement, negligence with respect to the creation or dissemination of electronic content, non-violation intentional breach of rights or privacy regulations and online extortion threats.
Technological Professional Liability Insurance
IT professionals provide a variety of technology-related services spanning web-based and technology-based services. Liability may arise from the ineffective provision of professional services. These claims are generally filed as a failure to perform the services provided as intended. They typically relieve services that caused a client to suffer property loss and/or economic damage due to lost business income. Some claims alleviate the loss because a client’s system was exposed to an unauthorized access threat that could lead to privacy concerns or the threat of cyber extortion. It is important for IT professionals to understand that while the scope of coverage contained in Cyber Risk policies is broad, it is not all-inclusive. For example, these types of insurance policies do not provide coverage for claims involving delays, cost overruns, or other business-related disputes.
The Checklist – Does Your Policy Cover…?
Some questions that technology companies should ask themselves about their Cyber Risk policy…
•Is the defense fully covered without any allocation of defense costs between covered and non-covered claims if at least one covered claim is asserted?
•Does data breach coverage include own and third-party expenses?
• Does the Privacy Coverage apply to third parties such as customers and employees of the Insured?
• Does the policy provide Expense Coverage to comply with the Consumer Privacy Notice regulations and credit monitoring expenses?
• Are the costs of hiring public relations or crisis management firms and/or law firms covered in the event of a privacy breach?
•Are data breach claims subject to deductibles, withholdings, or coinsurance?
•Are regulatory penalties, pre-trial and post-trial interest covered?
•Does business interruption coverage include costs to upgrade information assets beyond their pre-loss state?
•Are consequential damages covered?
• Is contractual liability covered if there is liability in the absence of the contract?
•Does the policy’s definition of Legal Proceedings include arbitrations?
•Is Additional Insured coverage available if required by contract?
•Are Independent Contractors covered if the claim is also filed against an Insured?
• Are Defense Expenses for Deceptive or Unfair Trade Practices covered unless a final award is made adverse to the Insured?
• Will the policy provide defense coverage for claims seeking only injunctive relief?
•Does the policy offer an option to include Professional Liability Coverage?
Whether the IT company is a small, medium or large company, when losses arise in relation to the scope of their respective contracts, they can have a devastating effect. Before even considering potential economic damages, the cost of defending a technically complex claim must be considered. Without proper insurance, those defense costs can be enough to cripple most IT service providers, or indeed put severe pressure on a company’s profitability. In addition, there are public relations consequences and other related expenses that may be incurred in connection with such claims. Technology or cyber risk insurance, if designed correctly, provides critically important protection for any technology-related business, ensuring its ability to continue operating even after suffering a devastating professional services claim.