On Tuesday, I was privileged to be part of a panel discussing cyberinsurance for public pension funds at Kessler Topaz’s Evolving Fiduciary Obligations for Institutional Investors conference, joining Victoria Hale, General Counsel of the Denver Employees Retirement Plan, and pension attorney Chris Waddell. We emphasized that the cyberinsurance procurement process is unique as compared to the renewal of traditional lines. The coverage is highly negotiable and definitely not one-size-fits-all. Here are a few pension-fund specific tips.
First, make sure intentional employee misconduct is covered. Insider misuse is among the most prevalent causes of data breaches for financial and public institutions. Yet, because cyberinsurance forms largely trace their roots back to commercial general liability policies, some of them still contain the traditional ‘intentional acts’ exclusion that bars coverage for an insured’s intentional misconduct. To make sure that your policy covers one of the most common breach causes, push back on this exclusion. Carriers will typically agree to a carve-out for ‘rogue employees,’ or will limit the definition of “insured” to employees only when acting within their scopes of employment. Either should leave coverage in tact when employees purposefully misbehave.
Second, be wary of cyber-endorsements to E&O and D&O policies. These endorsements are presented as low-cost alternatives to stand-alone cyberinsurance, but, as I covered here, you may be purchasing dangerously limited coverage. Many of these endorsements cover only third party risks – i.e., the class action lawsuit filed by individuals whose data has been compromised. This is likely not the most significant risk faced by funds. In fact, the most expensive elements of a data breach for public and financial institutions are legal advice for breach notification, forensic IT work to identify the problem and fix it and the breach notification itself, which generally costs $2-3 per notice recipient. Cyber-endorsements can be inexpensive, but they are only valuable if they contain an appropriate mix of first and third party coverages, the former of which must include breach coaching, IT response and breach notification.
Third, breach notification may be the most important aspect of coverage for public pension funds. Though many think of insurance as critical to protect against the risk of third party lawsuits, in this context, breach notification is a requirement with certain (and substantial) costs following almost every breach, while class action lawsuits, and the damages recoverable in them, are by no means certainties. Pension funds maintain enormous volumes of personally identifiable information, often relating to data subjects (retirees and their families) across many states and even abroad. Breach notice is governed by where those individuals reside, not the fund’s locale. Notice is therefore a complex and massive undertaking. Pension funds must be hesitant to agree to breach notification sub-limits, which can be a fraction of a policy’s overall limits and which generally apply to both breach notice itself as well as to the legal advice needed to comply with as many as 48 state statutes and a host of even more severe EU rules.
Every industry has to consider its unique characteristics and their impact on cyberinsurance needs. Public pension funds should not have the same coverage as retail stores, consumer banks or power plants. Buying cyberinsurance is important, but buying the right cyberinsurance is critical.