Ride the Lightning

Does Your Cyber Insurance Cover Regulatory Investigations and Fines?

February 5, 2019

My friend (and sometime co-presenter) Judy Selby released a new article on January 30th. I am always happy to be kept informed by Judy, who is a cyber insurance expert. She is frequently asked if cyber insurance covers claims for related regulatory investigations, fines, and penalties. Of course, there is no uniform answer. But the good news is that some cyber insurers are now providing more expansive regulatory coverage than ever before. Insureds, however, must know where to look. Here are some key issues to keep in mind when reviewing a policy for broad regulatory coverage.

As Judy notes, cyber insurance policies typically include some form of “Regulatory” coverage, but the devil is in the details. For example, the policy may limit coverage to regulatory claims arising from alleged violations only of US federal and state regulations. If you are worried about coverage for regulatory actions involving the EU's General Data Protection Regulation, that is not good enough.

In addition, the regulatory coverage in some policies is triggered by regulatory actions arising only from data breaches and security events. Although these are no doubt two very significant exposures, many of today’s privacy and cyber regulations contain requirements going far beyond those two issues. The GDPR, for instance, contains 99 Articles that include mandates concerning the adequacy of data subjects’ consent to data processing, limits on how long companies can retain data, the appointment of a data protection officer, designation of an EU representative, and many more. If your insurance policy with regulatory coverage is limited to data breach and security events, you may be out of luck.

Further, a policy may limit its coverage to the types of data protected under only certain specified laws and regulations, such as US state data breach notification laws and HIPAA, which are not as all-encompassing as some newer regulations.

Some cyber policies provide that fines and penalties are insurable only if the law of the jurisdiction issuing the fine allows for such coverage. This could be an important issue for companies subject to GDPR, since many EU countries do not permit such coverage.

To the extent a fine or penalty is considered punitive in nature, it will be important to look for specific coverage for punitive damages. A number of US states prohibit coverage for punitive damages on public policy grounds.

There is a lot of food for thought in Judy's article. Other resources from her may be found at her website. 

E-mail:    Phone: 703-359-0700
Digital Forensics/Information Security/Information Technology
https://www.senseient.com
https://twitter.com/sharonnelsonesq
https://www.linkedin.com/in/sharondnelson
https://amazon.com/author/sharonnelson