Are You Adequately Protected by Your Cybersecurity Insurance? The Sky is the Sub-Limit
For businesses and nonprofit organizations searching for cyber insurance, it is important to know if your coverage limits are adequate. Whether you are in the market for a new policy or renewing an existing one, you should explore whether your policy has a “sub-limit” that places limitations on your losses and liabilities that may be covered.
In a 2015 report, Pricewaterhouse Coopers estimated that cyber insurance premiums could increase from $2.5 billion in 2015 to $7.5 billion by 2020. Considering that more and more companies are working to manage their cyber liability, this boom in the insurance industry isn’t that surprising. A 2012 Verizon study revealed that 71% of security breaches occur in businesses with 100 or fewer employees. As (particularly smaller) businesses and nonprofit organizations are realizing they are exposed to cyber-attacks, they are seeking ways to insure against these risks.
Despite the increased demand for cyber insurance, the scope of coverage can vary greatly. Cyber policies are still fairly new and terms are not yet “standardized” to the same degree as many other insurance products. Thus, when shopping for (or renewing) a policy, be mindful not to evaluate and compare policies based solely on price. What sort of risk are you insuring against with your premiums?
A sub-limit is not unique to cyber insurance. All insurance policies have limits and many have sub-limits. A “sub-limit” limits the amount of coverage available to cover a specific type of loss. For example, in a commercial property policy with a $2 million general limit on liability, there may be a $100,000 sub-limit on coverage for loss from flood, a $500,000 sub-limit on loss from earthquake, and a debris removal sub-limit of 25 percent of the direct damage loss amount.
Similarly, cyber insurance policies may include sub-limits. For example, buying a cyber liability policy with a $1 million limit generally means the policy would cover qualified expenses up to $1 million. However, if your policy has a sub-limit for, as an example, crisis management expenses, call-center costs or regulatory investigations, you are covered only up to that sub-limit for those enumerated expenses (as they are defined in the policy) When evaluating a policy, look for these sub-limits, how the terms are defined, and whether your coverage – as limited – is adequate for your needs and risks. Identifying the appropriate protection requires you to make realistic estimates about your exposure and vulnerabilities to a cyber-attack or data compromise.
A recent case out of Louisiana state court highlights the importance of sub-limts. New Hotel Monteleone, LLC v. Certain Underwriters at Lloyd’s of London, et al., No. 2015-11711 (Civ. Dist. Ct. for Orleans Parish, Louisiana). The Hotel Monteleone purchased a policy that contained a $3 million limit on liability and a $200,000 “sub-limit,” for “Payment Card Industry fines or penalties . . . arising solely from a privacy event, or security event.” When the Hotel suffered a breach of consumer credit card numbers – and faced a damages demand from a payment card processor – it and the insurer could not agree on whether the definition of the sub-limit encompassed the particular claim. The Hotel filed suit on December 10, 2015, seeking a declaratory judgment and alleging breach of contract and bad faith against the insurer and, in the alternative, negligent failure to procure insurance coverage against its broker. The case was removed to federal court in early 2016, and it has been stayed pending the outcome of Alternative Dispute Resolution.
The lessons here is clear: don’t hesitate to ask questions to ensure you understand the scope of any sub-limit and how it may apply to potential losses, especially in those areas where your business is most vulnerable.