Magazine article National Defense

The Ins and Outs of Cyber Liability Insurance

Magazine article National Defense

The Ins and Outs of Cyber Liability Insurance

Article excerpt

* Losses from cyber events can be staggering for government contractors. Attacks, often from nation-state-sponsored entities, can cause millions of dollars in losses and be devastating for a business.

For example, in 2014, a high-profile provider of background checks to the Office of Personnel Management experienced theft that allegedly exposed the personal information of about 27,000 government employees.

OPM terminated its contract, resulting in $417 million in lost revenue, and the contractor's parent company was forced to file for bankruptcy protections. This was in addition to the cost to notify the employees of the breach, the costs of the related litigation and the damage to the reputation of the contractor.

Cyber liability insurance may offer a lifeline to government contractors to minimize financial losses in the event of a breach. Unfortunately, such policies are both complicated and rapidly changing. There is no standard policy form, which means that the coverage offered by one insurer can--and often does--differ dramatically from that offered by another insurer.

There is also little agreement between insurers on what should be covered, when the coverage should be triggered or even how basic terms should be defined. These differences make understanding what is and is not covered very difficult. It also makes it nearly impossible--or at least foolish--to purchase this coverage based on price alone.

One of the biggest challenges for government contractors trying to purchase cyber insurance coverage is simply knowing what to ask for from an insurer. There are many areas where government contractors should negotiate changes to their cyber liability insurance policies.

A typical prior acts exclusion excludes coverage for any claim based upon wrongful acts that occurred prior to a certain date--often the inception date of the policy. This can be extremely problematic in the cyber context because hackers may install spyware, viruses and other malware long before a breach is discovered. If the policy considers the intrusion date as the date of the wrongful act, a contractor may end up with no coverage for a breach that is discovered after the policy has incepted. For this reason, contractors should make every effort to avoid prior acts exclusions whenever possible.

Many government contractors are surprised to learn that cyber liability policies generally exclude coverage for portable electronic devices such as laptop computers or cell phones. Obviously, this can severely limit the coverage provided by a policy. Fortunately, many insurers will remove this exclusion if a contractor agrees to provide "satisfactory" encryption for any data contained on the portable devices--something most government contractors do already.

Cyber liability policies often exclude coverage for any claim "arising out of, based upon or attributable to" property damage and bodily injury. This is too broad for many government contractors. Instead, the quoted language should be replaced with the word "for."

This change is important because, although a cyber policy is not intended to cover general liability exposures such as bodily injury or property damage, it must still be able to respond to claims based on the breach that do not involve bodily injury or property damage directly--even if such losses were also caused by the intrusion.

The bodily injury/property damage exclusion should also include a carve back for mental anguish, emotional distress and shock caused by a cyber event. …

Search by... Author
Show... All Results Primary Sources Peer-reviewed


An unknown error has occurred. Please click the button below to reload the page. If the problem persists, please try again in a little while.