On Tuesday, I was privileged to be part of a panel discussing cyberinsurance for public pension funds at Kessler Topaz’s Evolving Fiduciary Obligations for Institutional Investors conference, joining Victoria Hale, General Counsel of the Denver Employees Retirement Plan, and pension attorney Chris Waddell. We emphasized that the cyberinsurance procurement process is unique as compared to the renewal of traditional lines. The coverage is highly negotiable and definitely not one-size-fits-all. Here are a few pension-fund specific tips.
First, make sure intentional employee misconduct is covered. Insider misuse is among the most prevalent causes of data breaches for financial and public institutions. Yet, because cyberinsurance forms largely trace their roots back to commercial general liability policies, some of them still contain the traditional ‘intentional acts’ exclusion that bars coverage for an insured’s intentional misconduct. To make sure that your policy covers one of the most common breach causes, push back on this exclusion. Carriers will typically agree to a carve-out for ‘rogue employees,’ or will limit the definition of “insured” to employees only when acting within their scopes of employment. Either should leave coverage in tact when employees purposefully misbehave.
Second, be wary of cyber-endorsements to E&O and D&O policies. These endorsements are presented as low-cost alternatives to stand-alone cyberinsurance, but, as I covered here, you may be purchasing dangerously limited coverage. Many of these endorsements cover only third party risks – i.e., the class action lawsuit filed by individuals whose data has been compromised. This is likely not the most significant risk faced by funds. In fact, the most expensive elements of a data breach for public and financial institutions are legal advice for breach notification, forensic IT work to identify the problem and fix it and the breach notification itself, which generally costs $2-3 per notice recipient. Cyber-endorsements can be inexpensive, but they are only valuable if they contain an appropriate mix of first and third party coverages, the former of which must include breach coaching, IT response and breach notification.