Rescission: A Cyber Insurance Time Bomb?
Part Two: Preparing the Cyber Insurance Application
Alexander J. Anglim
This article is Part Two in a series. In Part One, we discussed the looming threat that insurers might look to rescind (i.e., void) cyber insurance policies after claims are filed. As explained in Part One, this risk is magnified by the increasing depth and complexity of the cyber insurance application process. But what can be done to reduce that risk? In this installment, we discuss some practical ways to reduce the chance that your cyber insurer will try to void coverage after a loss.
Assemble Your Team and Use Your Broker And Counsel As Resources
Given the need for up-to-date, technical information when applying for cyber insurance, an essential first step is to make sure that the key individuals with knowledge are involved early in the process. For example, the company’s CTO, if it has one, should be involved. However, additional people may be required, depending on the depth and complexity of the information requested. For example, if the company outsources all or part of its IT and security functions, then one or more knowledgeable
representatives of those vendors may need to participate and provide information. The sooner that knowledgeable people are identified and brought into the process, the better. As well, each person should be instructed that accuracy is paramount, and to notify the others involved of any uncertainty or ambiguity in either the questions or the answers.
During this process, the company’s insurance broker and counsel (hopefully, counsel with insurance expertise) should be used as resources. For example, insurance brokers can speak directly with insurance underwriters, if needed, to clarify questions that are unclear or to ask if the insurer is willing to use different or supplemental application forms that might be better suited to the situation. As well, counsel can be tasked with examining the forms to determine whether the language of the application is unequivocal, or if the insurer is accepting a statement that all representations are true to the best of the insured’s knowledge.
In addition, if the company uses an outsourced IT provider, let your broker know. Increasingly, insurers want to identify and qualify such vendors as part of the underwriting process. An experienced broker can guide you through the qualification process and help you to avoid mistakes.
Seek To Qualify Factual Representations
As noted above, and in Part One, rescission risks are heightened if the application requires the insured to represent, unequivocally, that certain facts are true. Be on guard for questions that are phrased in absolute terms, which you might not be able to answer with absolute certainty. Consider the following hypothetical example:
- CFO: I’m doing our cyber insurance application and the insurer wants to know if all of our company-issued mobile devices are encrypted. Are they?
- CTO: Yes.
- CFO: Are you sure?
- CTO: Yes, because the only mobile devices we issue are laptops, about 500 of them company-wide. We started configuring them with hard drive encryption four years ago, and we replace one-third of them annually. Therefore, all of our folks received a new laptop after we started requiring encryption.
- CFO: Thanks! I will sign the application now.
Unstated in this back-and-forth — what happened to the users’ old laptops? Can our heroes be absolutely sure that none of the older non-encrypted machines exist, and could be activated by a user? Perhaps, unbeknownst to them, one manager “stashed” some old laptops just in case they might be needed…and then when one is needed and is put to use, it becomes the means by which a breach occurs. If the policyholder unequivocally represented that “all” company-issued devices were encrypted, then the insurer might be tempted to seek rescission.
Issues can arise with the wording of questions as well. For example, a question might ask whether “you” or the “applicant” follow certain IT security practices (e.g., “Does the Applicant encrypt…” or “Do you test your security at least annually…”). The wording varies widely, so pay attention to whether the question is asking what the organization knows (or what it regularly does), versus questions that ask whether the person signing the application knows (or does) in each instance. As well, consider whether non-employees (such as IT vendors) are providing the information needed for certain responses; if so, it might not be possible to know for sure that the information is accurate.
For all of these reasons, it may be advisable to have your broker ask any prospective insurers to accept qualified or limited representations in the application for insurance. For example, the person signing the application could represent that he or she performed a diligent inquiry and that the representations are true to the best of his or her knowledge. In general, it seems that such qualified or limited representations should be broadly acceptable to insurers, in part because insurers know that policyholders make mistakes, and that is one main reason that policyholders buy insurance in the first place. In other words, mistakes concerning IT security practices are a type of risk that policyholders want to buy insurance against. If your insurer is not willing to accept a reasonable qualifying statement concerning the accuracy and/or source of the answers in the application, then ask your broker whether other, competing insurers are more amenable. This may be a reason (other than price considerations) to choose one potential insurer over another.
In the next installments of this series, we will discuss concepts and rules that policyholders might rely upon if, despite their efforts and good faith, they are forced to litigate the issue of rescission after a loss.
-Alexander J. Anglim, Outside General Counsel