Coverage as complex as the technology
There is a wide range of insurance products within the generic umbrella of Technology or Cyber Risk insurance. Some policies provide first-party coverage that insures covered losses supported directly by you, the policyholder. Other variations provide coverage that includes losses to a third party – your customers. Professional liability insurance is the most important insurance requirement built into every IT service contract. Menu-based policies allow selection between coverage modules to better match coverage to the IT company’s specific business exposures. Because this is arguably the most important insurance you will ever buy, it is important not to approach the purchase of this insurance as if it were a commodity. All policies are not the same. Investing time to compare available coverage options and policy limitations is essential to ensuring your business receives adequate liability protection.
Exclusions – A good place to start to understand what your policy covers.
Being clear about what your Cyber Risk policy does not cover is as important as understanding what it does cover. Some of the highlighted exclusions to the coverage contained in the Cyber Risk policies are summarized below. It is important to note that a policy’s exclusions do not always appear in the Exclusion section. Many insurance policies often incorporate coverage limitations in other parts of the policy, such as within the Definitions section. Similarly, policy exclusions sometimes contain carve-backs or exceptions to the exclusion that typically make a portion of an exclusion inapplicable, thereby expanding coverage in specifically defined circumstances.
Some typical exclusions are:
• Claims involving the withdrawal, replacement, repair or supplementation of the Insured’s product or service.
• Claims alleging software failures involving software that is in a testing phase or not in general commercial release.
• Claims for fee disputes.
• Claims for electrical, mechanical or telecommunications failures or interruptions, unless the failure was caused by unlawful acts covered by the Insured.
• Claims alleging invalidity, misappropriation, or infringement of a patent, trade secret, copyright, trademark, or service mark, unless arising out of electronic publishing activity.
• Certain proceedings brought by federal, state, or local government agencies, licensing authorities, or rights organizations, except for complaints related to privacy or network security.
• Claims that allege the unauthorized collection of personal data by third parties with the knowledge of the main partner, director or official of the Insured are imputed to other Insureds and/to the entity.
Readers should not be left with the impression that these policies do not cover much. Quite the contrary, these insurance policies provide very extensive and valuable coverage. The definition of “unlawful act” found within one of the most prominent cyber risk policies states: “…means any error, misrepresentation, misleading statement, act, omission, negligence, breach of duty, or personal injury crime actually or allegedly committed or attempted by any Insured in his or her capacity as such:” That clause is followed by a litany of coverage triggers including, but not limited to: “failure of the Insured’s Technology Services, Technology Products, exposure to Electronic Media, product disparagement, trade defamation, public disclosure of private facts, plagiarism, piracy, copyright and domain name infringement, service mark infringement, negligence regarding the creation or dissemination of electronic content, non-violation intentional violation of privacy rights or regulations and online extortion threats”.
Technological Professional Civil Liability Insurance
IT professionals provide a variety of technology-related services spanning web-based and technology systems-based services. Liability may arise from the ineffective provision of professional services. These claims are generally presented as a failure to perform the services provided as intended. They generally relieve services that caused a client to suffer property loss and/or economic damage due to loss of business income. Some claims alleviate loss because a customer’s system was exposed to a threat of unauthorized access that could lead to privacy concerns or the threat of cyber extortion. It is important for IT professionals to understand that while the scope of coverage contained in Cyber Risk policies is broad, it is not all-inclusive. For example, these types of insurance policies do not provide coverage for claims involving delays, cost overruns, or other business-related disputes.
The Checklist – Does Your Policy Cover…?
Some questions that technology companies should ask themselves about their Cyber Risk policy…
•Is the defense fully covered without any allocation of defense costs between covered and non-covered claims if at least one covered allegation is asserted?
•Does the data breach coverage include own and third party expenses?
•Does the Privacy Coverage apply to third parties such as clients and employees of the Insured?
• Does the policy provide Expense Coverage to comply with Consumer Privacy Notice regulations and credit monitoring expenses?
• Are the costs of hiring public relations or crisis management firms and/or law firms covered in the event of a privacy breach?
•Are data breach claims subject to deductibles, withholdings, or coinsurance?
•Are statutory fines, pre-judgment and post-judgment interest covered?
•Does business interruption coverage include costs to enhance information assets beyond their pre-loss state?
•Is consequential damage covered?
•Is contractual liability covered if there is liability in the absence of the contract?
•Does the definition of Legal Procedures in the policy include arbitrations?
•Is Additional Insured coverage available if required by the contract?
•Are Independent Contractors covered if the claim is also filed against an Insured?
• Are Defense Expenses for Deceptive or Unfair Business Practices covered unless a final award is rendered adverse to the Insured?
• Will the policy provide defense coverage for claims seeking only injunctive relief?
•Does the policy offer an option to include Professional Liability Coverage?
Whether the IT company is a small, medium or large company, when losses arise in relation to the scope of their respective contracts, they can have a devastating effect. Before even considering potential financial damages, the cost of defending a technically complex claim must be considered. Without adequate insurance, those defense costs can be enough to cripple most IT service providers, or indeed put severe pressure on a company’s profitability. In addition, there are public relations consequences and other related expenses that may be incurred in connection with such claims. Technology or cyber risk insurance, if designed correctly, provides critically important protection for any technology-related business, ensuring its ability to continue operating even after suffering a devastating professional services claim.