Texas Lawyer Article: If Cyber Risk Isn’t on Your Radar, It Should Be
By Amy Stewart Law
As data breaches continue to make headlines, growing numbers of businesses are seeking to manage their cybersecurity risks through insurance. The cyber insurance industry, however, is still in its infancy, with little standardization and even less case law to guide policyholders and their legal advisers.
As Amy Elizabeth Stewart writes in her recent Texas Lawyer article, Cyber Insurance 2017: 3 Lessons Learned, the small but growing body of case law is nevertheless instructive. She analyzes decisions in three cases: Travelers Prop. Cas. Co. of Am. v. Fed. Recovery Services, Columbia Casualty Co. v. Cottage Health System, and P.F. Chang's China Bistro, Inc. v. Fed. Ins.
While "cyber insurance policies" are relatively new, today's "cyber" policies bear close resemblance to the technology errors and omissions policies of yesteryear—sporting updated nomenclature that references data breaches and network or system failures. Cyber policies, like the risks they insure, are evolving at the speed of light based on market demands. In response to increasingly sophisticated cybersecurity risks, insurance companies competing for market share are trying to balance innovation with profitability.
To date, cyber policies remain largely untested. The first widely-reported cyber insurance decision was issued a little over a year ago and only a few lawsuits have followed. While uncertainty may be prompting compromise resolutions in lieu of litigation, there are some lessons to be learned from the handful of cyber coverage lawsuits filed to date.
Policyholders, Amy writes, should take three lessons from the cyber cases that have been decided thus far:
- The details – including which words modify which other words in the policy – matter
- Corporate policyholders should watch carefully for exclusions that effectively shift the risk back to the insured.
- Corporate policyholders must understand both the exposures they seek to insure and the scope of the coverage provided by their policies.
“As cyber insurance continues to evolve, policyholders and insurers alike must manage exposures in an environment that faces new threats on daily basis,” Amy concludes. “Until the provisions of these non-standardized policies are tested by the courts, the uncertainty is best addressed by careful risk assessment and proactive negotiation during the underwriting process.”