As insurance companies continue to look for ways to absolve themselves of liability for cyber-related losses, it is imperative that in-house counsel be well informed about all possible avenues of indemnity for their company.
Data breaches have made headlines for years by now. The marquee victims – or culprits, depending on your point of view – have been large retail-facing companies that have had millions of their customers’ personal and financial data records exposed by hackers. Banks and other financial institutions are also at a high risk of major losses from cyberbreaches because they inherently collect and store personal identification and financial information about thousands of people and businesses.
In-house counsel have had to educate themselves about both the available cyberinsurance coverage and the indemnity obligations in the involved contracts. These policies and contracts transfer certain types of risks. A company’s insurance policies can pay for its own losses as well as its liabilities to others. Where robust indemnity agreements are in place, they can transfer the obligations to pay for such losses and liabilities to, or away from, the company itself.
Siphoning cyber coverage into specialty policies
Cyber policies have proliferated over the past 15 years and now come in many varieties, providing different types of coverage. Some are stand-alone cyber policies with typical coverage for breaches, notification costs, data restoration, ransomware and other situations. Other policies are derivations of errors and omissions (E&O) policies that focus on the act or cause of a loss and extend coverage for data loss and liability to others.
For years, other policies, such as general liability, property insurance, and directors and officers (D&O) liability, have provided coverage for certain types of losses that stem from a data breach or other cyber loss. For example, a general liability policy might cover liability for property damage to another party’s physical property, including computer hardware. A property policy might cover the replacement of bank debit cards, as physical property damaged by a breach. D&O policies could be expected to cover the lawsuits that follow many data breach scenarios, when shareholders or regulators look to blame the victimized company.
Insurance companies are now moving ahead with plans to eliminate the coverage found in these non-cyber policies. The insurance companies call such coverage “silent cyber.” This cynical misnomer casts the coverage that has always been found in those non-cyber policies, which is inherent in a plain-language reading of the policies, as if it were an unintended windfall for policyholders. On the contrary, that coverage has always been there, but now insurance companies are looking for ways to eliminate it.
“Even if the indemnity provision that in-house counsel needs to rely upon is not ideal, there may still be ways to leverage it to mitigate the costs of a loss.” –Daniel Healy
Indemnity agreements into the breach
If insurance companies get their way and are successful in eliminating coverage that might apply to data breaches and other cyber losses from all non-cyber policies, then policyholders will have to look elsewhere to fully cover their cyber needs. Obviously, the coverage under a policyholder’s stand-alone cyber policy will be of key importance. But companies may also need to focus on indemnity agreements.
Indemnity agreements can be found in a wide variety of contracts. In the realm of cyber losses, the companies most often involved are service providers that are instrumental in providing the services needed to gather, store, use or secure computer systems that hold data. Sometimes such agreements also involve the systems that are used to process transactions, as more and more transactions are being conducted fully electronically.
For example, an agreement with a cloud service provider will likely include an indemnity agreement relating to all claims, causes of action, losses, damages and so forth. But what will the agreement actually do in the event of a cyber loss that emanates from its system but causes the theft or compromise of a client company’s data (which, in turn, is actually that client company’s customers’ or business partners’ data)? If the indemnity provision reads like the following, it is possible, depending on the facts, that the service provider will raise arguments that it does not need to provide the client company with indemnification.
Service Provider shall defend, indemnify and hold harmless Client … from and against any and all claims, demands, suits, judgments, losses, liabilities, damages, costs or expenses of any nature whatsoever … caused solely by any: (i) negligent act or omission of Service Provider, its officers, directors, agents or employees; (ii) failure of Service Provider to perform the Services in accordance with generally accepted professional standards; or (iii) breach of Service Provider’s representations and warranties, agreements, duties or obligations as set forth in this Agreement.
Such a provision does require the service provider to indemnify the client. But depending on the facts, the question is when. It could be argued that the indemnity obligation would only arise once it has been established what was caused “solely by” the service provider’s negligence, breach of contract, or breach of warranty. If, for example, the breach of the service provider’s system led to a loss despite the service provider having strong security measures in place, that service provider might argue that the loss was not the result of its sole negligence.
A slightly broader approach might be to have an indemnity agreement that requires the service provider to indemnify the client company:
from any and all liability, arising out of Service Provider’s negligence, whether it be sole or in concert with others, in connection with performance of the services described
This language enables the client company to seek its indemnity rights whether or not it has been established that the service provider was the sole negligent party.
In-house counsel should remember, while sifting through these obligations, that in the scenario described, the customers of the company looking to enforce the indemnity provisions against a service provider might be bringing lawsuits. Partner companies could also be threatening to pursue recovery against the company.
Instead of fighting a war on multiple fronts, pursuing indemnity for claims it has to defend, the company should know how it intends to hold a counterparty liable for the expected indemnity. Ideally, the indemnity will be a predictable and efficient way to assign risk.
Even if the indemnity provision that in-house counsel needs to rely upon in a given situation is not ideal, there may still be ways to leverage the indemnity obligation and accomplish some transfer of the costs of a loss. For example, if indemnity is tied to particular “work,” “services” or “products” for which one party is clearly meant to be responsible, then parties may not need to spend the time and expense of waiting to litigate who caused what. Instead, they can resolve the indemnity issues quickly, because at least some liability is clear. Also, in-house counsel should look at the insurance requirements that counterparties must have, as well as, potentially, additional insured requirements. Often these insurance provisions go hand in hand with indemnity provisions and permit the company to pursue another’s insurance policies.
In an environment where insurance companies are reducing liability for cyber-related losses by eliminating so-called “silent cyber” coverage, it is important to know how to use insurance provisions to access another party’s cyber policy. The sheer cost of data breaches has been studied extensively, and it is immense. It is not unrealistic that a breach could lead to losses that exceed the limits of a company’s cyber coverage. For that reason alone, as part of their company’s response plan, prepared in-house counsel need to have thought through potential avenues of indemnity and ways of tapping other companies’ cyberinsurance policies.
Published February 21, 2020.