Cyberinsurance policies typically provide first and third party coverage. First party coverage relates to an insured’s own expenses in investigating and remediating a data breach, and recovering the insured’s data and other information assets. Third party coverage kicks in when customers and regulators seek to hold the insured accountable for the breach.
But we know this already, right?
We also know that underwriters started with commercial general liability (CGL) forms when they started writing cyber policies because, well, it was the closest thing they had on file and nobody likes to start from scratch. I’ve previously discussed how this has led to some CGL provisions spilling into cyber policies even though they really don’t belong. The contractual liability exclusion, the acts of war/terror exclusions, etc.
Here’s another potentially problematic one. The ‘No Action Against Us’ provision. Also known as, ‘you can only sue us if…’
I recently reviewed a cyber policy that contained the CGL standard version of that provision: “NO ACTION AGAINST US: No action may be taken against us unless, as conditions precedent thereto … the amount of the Insured’s obligation to pay has been finally determined either by judgment against the Insured after adjudicatory proceedings, or by written agreement of the Insured, the claimant and us.”
In CGL world, that makes sense. You need a judgment or a settlement agreement to fix third party liability. If the insurer still won’t pay the claim, the two of you can battle it out in court to see who is really going to foot the final-form bill.
But the cyber policy I was reviewing also provided first party coverage for cyber investigation expenses, even in the absence of a third party claim. There won’t be an adjudication. There won’t be a judgment or a settlement. There may not even be a claimant. It’s just a business that has identified a potential breach and wants to bring in a forensic IT firm that its cyberinsurance policy is supposed to cover. If the carrier says nuh-uh, what is the insured’s remedy in light of the ‘No Action’ provision?
Other carriers have recognized that the ‘No Action’ clause doesn’t fit in the first party context and therefore draw a distinction between the first and third party coverage. These policies use a standard ‘No Action’ clause for third party coverage but employ language like this for first party claims: “The Insured Organization may not bring any legal action against the Company involving First Party Loss of Expenses: (a) until 60 days after the Insured Organization has filed proof of loss with the Company…”. In other words, you can’t sue us until we’ve at least had a chance to see what exactly you have going on. Fair enough, don’t you think?
It is critical that a policy offering both first and third party coverage account for that fact in provisions purporting to limit an insured’s right to bring legal action against a carrier in the event of a disputed first party claim. And since some carriers have already made this revision to their cyber forms, others should be willing to follow suit.