Debate over NFIP Reforms Likely to Extend into 2019A new short-term extension through December 21 leaves the National Flood Insurance Program (NFIP) in limbo as Congress grapples with a lengthy to-do list in advance of the holidays.  NFIP, the biggest source of flood coverage in the U.S., has been reauthorized through a set of short-term extensions in the last year as lawmakers debate the prospect of reforms to the program. NFIP has struggled to remain solvent in the wake of costly hurricanes, but lawmakers have not yet reached a consensus on how to make the program more sustainable.

In the face of the most recent extension, FEMA published a statement calling the short-term reauthorization “an opportunity for Congress to take bold steps to reduce the complexity of the program and strengthen the NFIP’s financial framework so that the program can continue helping individuals and communities take the critical step of securing flood insurance.” We have previously written about FEMA’s own changes to the program, including steps to loosen restrictions on private insurers selling NFIP policies, as well as purchasing reinsurance for the program. Congress will have to determine the viability of other changes, such as proposals to make rates correspond more accurately to risk and funding for mitigation of flood-prone areas.

The short-term extension through December 21 puts NFIP reauthorization on the same timetable as other significant legislative deadlines, including the expiration of a continuing resolution to fund the government. Should Congress pass another extension for NFIP without making changes to the program, the 116th Congress will take up the debate with several changes to the key players in the negotiations. Most notably, current House of Representatives Financial Services Committee chair Jeb Hensarling will be succeeded by incoming chair Maxine Waters.  Waters co-authored a reform act in 2012 that would have significantly curbed government subsidies to premiums, but in recent years has advocated a more cautious approach to rate increases.

Policyholder Diligence Ensures You’re InsuredPolicyholders take notice – a recent New York case highlights the importance of thoroughly analyzing and understanding all policy language to minimize project risk and ensure proper coverage. As an illustration, the Court of Appeals of New York recently held that a named additional insured was not covered under an insurance policy because the plain meaning of the language in the policy endorsement required a written contract between the policyholder and the additional insured.

In Gilbane Bldg. Co./TDX Construction Corp. v. St. Paul Fire & Mar. Ins. Co., the Dormitory Authority of the State of New York (DASNY) contracted with Samson Construction Company as general contractor for the construction of a new building. DASNY also contracted with a joint venture, formed by Gilbane Building Company and TDX Construction Corporation (the “JV”), to serve as construction manager on the project. The contract between DASNY and Samson required Samson to procure general liability insurance for the project and name the JV as an additional insured. Samson obtained this coverage from Liberty Insurance Underwriters.

Thereafter, DASNY sued Samson and the project architect. In turn, the architect filed a third-party complaint against the JV, which then provided notice to Liberty seeking defense and indemnification. Liberty denied coverage, and the JV initiated suit against Liberty, arguing that it qualified for coverage as a named additional insured. The New York Supreme Court denied Liberty’s motion for summary judgment and held that the JV was an additional insured under the applicable insurance policy. The Appellate Division reversed and the Court of Appeals affirmed.

The court reviewed the language of the additional insured provision which read, in relevant part, “an insured [is] any person or organization with whom you have agreed to add as an additional insured by written contract…” Here, the JV and Samson did not have a written contract with one another. Nonetheless, the JV argued that the written contract requirement conflicted with the plain meaning of the language in Liberty’s endorsement, “well-settled rules of policy interpretation,” and the parties’ reasonable expectations. The court disagreed, and found that the language was facially clear. It concluded that Liberty’s endorsement would only provide coverage to the JV if Samson and the JV entered into a written contract because “unambiguous provisions of an insurance contract must be given their plain and ordinary meaning.”

The court then explained how the outcome would differ if the provision did not include the word “with.” In that case, the endorsement would have provided coverage to “any person or organization whom [Samson had] agreed by [any] written contract to add…” Since Samson already contracted with DASNY to add the JV as an additional insured, coverage would have been effective as to the JV.

Regardless of the type of insurance policy at issue, it is critically important to thoroughly analyze the policy documents to ensure an accurate understanding of the language used. Individual policyholders often take policy language at face value, if they read the terms of the policy at all, and never question what coverage they have actually purchased. Similarly, when the policy at issue is part of a larger set of contract documents, companies often become complacent during the contract review process—especially when certain documents appear boilerplate or seem like only a minor formality to finalize a contract. Oftentimes, the perceived need for reviewing policy language is further dampened by the fact that the insurance policy comes into existence after the project contract is signed, such as the policy in this case.

As a result of complete oversight, the hurried nature of review, or the overwhelming volume of contract documents requiring review, policyholders can easily adopt a reading of policy language that might reflect reasonable expectations but does not necessarily adhere to the plain meaning of the language. Diligence must extend to the review of insurance policies because ignoring the actual language of the policy can result in significant risk exposure.  If you have any questions or concerns about your current insurance coverage or upcoming project needs, please contact Alex Thrasher and the team at Bradley to learn more about ways to ensure that you’re covered.

Cyber Insurance: Court’s Recent Decisions May Change What Your Policy CoversCyber incidents can take many forms—phishing, insider theft, SQL injection, malware, denial of service, session hijacking, credential farming, or just old fashion “hacking.” Although many of these attack vectors employ technical knowledge, some utilize deception to manipulate individuals into performing certain actions or divulging confidential information.

Commonly referred to as “social engineering,” a perpetrator can exploit human behavior to pull off a scam. Oftentimes this comes as an email, which appears to be from a trusted colleague, vendor, or business partner, asking for a wire transfer to a particular account to settle a bill or provide payment for services.

To date, many of these social engineering schemes have been denied under cyber or computer fraud insurance policies, with many insurance carriers insisting that the policies only cover hacking-type intrusions.

In recent months, this stance has been denied—twice. Once by the Second Circuit in Medidata Solutions Inc. v. Federal Insurance Co. and once by the Sixth Circuit in American Tooling Center, Inc. v. Travelers Casualty and Surety Co. of America.

In both cases, the court found in favor of the policyholder in a dispute over coverage for social engineering schemes. In Medidata, the insured brought suit claiming that its losses from an email spoofing attack were covered by a computer fraud provision in its insurance policy. The provision at issue covered losses stemming from any “entry of Data into” or “change to Data elements or program logic of” a computer system. The court reasoned that although no hacking occurred, the perpetrators crafted a computer-based spoofing code that enabled the fraudsters to send messages that appeared to come from one of Medidata’s employees. Similarly, in American Tooling, a fraudster send a series of emails, purportedly from a vendor, requesting that American Tooling wire transfer payments to new accounts. American Tooling wired over $800,000 before realizing that the emails were fraudulent. The court in American Tooling found that the loss was covered under the policy and that none of the asserted policy exclusions applied, finding that the emails were computer fraud that directly caused the loss.

Companies should understand the complexity and varied types of cyber incidents that they face, build in mechanisms to avoid engineering scams by validating proposed requests, and review their cyber and crime insurance policies to ensure that they take full advantage of available insurance coverage.  These cases also serve as a reminder to have a clear incident response policy in place and to quickly engage counsel who understands the complexities of the incident, as well as the insurance coverage, in order to minimize loss.

National Flood Insurance Program Shows Continued Promise--and Limitations--for Businesses Recovering from Hurricane LossFollowing record-setting levels of rainfall in the Carolinas from Hurricane Florence, businesses both in and outside of affected areas will likely be reviewing their flood coverage to assess how it will respond to adverse weather events. Although private flood insurance is on the rise, the National Flood Insurance Program (NFIP) remains by far the biggest source of flood coverage in the U.S.

NFIP was created in 1968 to address the problem of disaster relief costs and is administered by a department of the Federal Emergency Management Agency (FEMA). For participating communities, NFIP makes federally subsidized flood insurance available in special flood hazard areas. NFIP policies can be purchased directly from the government or from private carriers through the “Write Your Own” program.

Commercial policyholders under NFIP can obtain coverage for up to $500K for a building, and up to an additional $500K for certain types of personal property. These are single peril policies – they only cover direct physical damage caused by flood up to the property’s cash value. Notably, NFIP does not provide business interruption coverage for lost profits due to a shutdown of an insured’s operations. These limitations highlight the need for excess flood insurance coverage, as many businesses will need more than $500K in commercial property coverage; coverage for business interruption arising from flood; and coverage for the full replacement cost of lost property, rather than just cash value.

We have previously written about NFIP’s efforts to remain solvent in the face of multibillion-dollar flood insurance losses over the last 15 years. Last year, Congress passed a bill to forgive $16 billion owed by NFIP to the U.S. Treasury in order to ensure the program remains solvent. The program is currently authorized through November 30, 2018, as a result of seven temporary extensions by Congress over the last year. These steps by Congress reflect bipartisan support for a program that provides an important role in disaster recovery, but consensus has not yet developed around new long-term legislative reforms. This year, FEMA has introduced several changes to the program intended to manage its exposure, including loosening restrictions on private policies in the Write Your Own program, reducing compensation for private insurers who sell NFIP policies, and purchase of reinsurance for the program. We will continue to monitor the effect of these changes, as well as new initiatives and their impact on policyholders.

Coverage for Cannabis? How Cannabis’s Legal Limbo Affects Property Insurance PoliciesA recent federal court of appeals’ decision raises interesting questions for all policyholders, particularly commercial and residential landlords with tenants that grow, possess, and/or distribute cannabis, even where it is legal to do so under state law.

In K.V.G. Properties, Inc. v. Westfield Ins. Co., decided by the United States Court of Appeals for the Sixth Circuit on August 21, 2018, KVG claimed coverage for losses caused by its commercial tenant’s use of KVG’s property for cannabis cultivation. In connection with its cannabis business, the tenant removed walls, cut holes in the roof, altered ductwork and damaged HVAC systems, which ultimately cost around $500,000 to repair. KVG claimed that its loss was covered under its Building and Personal Property Coverage Form (the “BPP Policy”). However, Westfield denied the claim, arguing that the loss was not covered under the BPP Policy due to an exclusion that provided that Westfield would not pay “for loss or damage caused by [any] [d]ishonest or criminal act by [KVG], any of [its] partners, members, officers, managers, employees . . ., directors, trustees, authorized representatives or anyone to whom [KVG] entrust[s] the property for any purpose” (the “Dishonest or Criminal Acts Exclusion”).

Given the litigants’ positions, the court was forced to address the question of whether the cannabis-cultivating tenants committed a “criminal act” within the meaning of the policy. The court began by noting that, while growing cannabis is a crime under federal law, it is protected by Michigan law under certain conditions. The court also noted that “[u]nder different circumstances, KVG might have a strong federalism argument in favor of coverage.” The court went so far as to say it would “hesitate before reading a Michigan insurance policy to bar coverage for a ‘criminal act’ when Michigan law confers criminal and civil immunity for the conduct at issue.” The court ultimately punted on this difficult federalism issue, though, holding instead that the evidence was such that no reasonable jury could find that KVG’s tenant complied with Michigan law. In reaching this conclusion, the court cited KVG’s pleading in a summary eviction proceeding against the tenant where KVG stated that the tenant “illegally grew cannabis.” The court also noted that federal agents, who at the time were subject to U.S. Attorney General Guidance stating that they should not prioritize individuals whose actions are in compliance with existing state laws, raided the premises. This raid, the court reasoned, confirmed that the tenants were not acting in compliance with Michigan law.

This case has multiple interesting implications for insureds. First, policyholders that have extensive and expensive insurance packages (and, consequently, some ability to negotiate policy terms) could attempt to negotiate a more definitive exclusion to obtain more certainty as to whether losses caused by things such as cannabis use and cultivation are covered.

Secondly, policyholders and their counsel should note that the inconsistency between state and federal law as to cannabis’s legality lends itself nicely to an argument that the Dishonest or Criminal Acts Exclusion (and other similar exclusions) is ambiguous in this context. It is a maxim of coverage law that ambiguous provisions in insurance policies should be construed in favor of coverage, and this ambiguity could give policyholders an avenue to pursue traditionally excluded coverage. To this end, this tension between federal law and certain state laws could almost “read out” the Dishonest or Criminal Acts Exclusion for cannabis-related losses under the theory that the legality of cannabis cultivation is always ambiguous in states where medical and/or recreational cannabis cultivation and use are legal. Brokers acting for insureds might bargain for a more specific exclusion that makes it clear the Dishonest or Criminal Acts Exclusion does not apply to cannabis cultivation or use, or policyholder’s brokers might opt for keeping this more ambiguous exclusion rather than being forced to accept an exclusion specifying that coverage is not provided for losses caused by acts that are illegal under state or federal law, in order to leave open the possibility of arguing for coverage based on the exclusion’s ambiguity.

Lastly, insureds and their lawyers should be mindful of the arguments they make in related proceedings. While it was likely in KVG’s best interest to have its tenant—who was causing losses to the rented property—evicted, its argument that the tenant should be evicted for its illegal cannabis operation ultimately worked to prevent KVG from obtaining coverage for its losses. Policyholders should, to the extent possible, litigate any related issues with an eye toward preserving (or at least not foreclosing) coverage for their losses.

Federal Court Enters Powerful Duty to Defend Order in MaineIn addition to being a great place to find lobster, Maine may also be one of the country’s best jurisdictions for a policyholder seeking defense from its commercial general liability carrier.

In Zurich American Ins. Co. v. Electricity Maine LLC, the U.S. District Court for the District of Maine found against Zurich and in favor of Electricity Maine LLC, one of several defendants in an underlying class action lawsuit alleging pricing violations against the power company. Most notably, the court confirmed that Maine has a particularly low threshold for triggering an insurer’s duty to defend. The court found an “occurrence” despite Zurich’s argument that all the underlying allegations involved intentional conduct. And perhaps most shockingly, the court found the possibility of “bodily injury” based solely on the underlying complaint’s request for “actual damages in an amount to be proven at trial.” There is no mention in the complaint of emotional distress or mental anguish, but the court found an allegation of “bodily injury” anyway, relying on Maine’s broad duty to defend rules.

Based on this decision, a CGL policy can be triggered in Maine by virtually any general allegation of damage caused by negligence. Maine follows what it calls the “comparison test” and seems to allow for a duty to defend unless there is absolutely no chance of an eventual judgment that would fall within the scope of coverage provided by the policy.

Once again, we have an important reminder on two fronts. First, the duty to defend should be broadly construed, and some courts are willing to give the policyholder every benefit of the doubt, particularly in the face of ambiguous underlying allegations. Second, never forget choice of law. If you can go to Maine to resolve a duty to defend dispute (or to eat lobster), do it.

Wind, Flood or Storm Surge: Pick Your Peril CarefullyA catastrophic loss, such as a hurricane strike, can force any company out of business, even if it is insured. Although a business does not suffer any direct physical damage to its facilities, fickle natural disaster events can disrupt a company’s entire supply chain, with ripple effects for vendors, suppliers, customers and second-tier providers of services or goods.

With scorching August temperatures and the Atlantic hurricane season ramping up to full speed, the next months could, unfortunately, once again visit doom on vulnerable coastal areas, disrupting water or power services, causing evacuation and curfew orders, limiting travel, or halting operations either partially or fully. Securing insurance proceeds and FEMA assistance is crucial to business disaster recovery implementation.

1. What caused my loss?

A ubiquitous issue that arises with respect to natural disasters is how the peril is characterized – is it a hurricane, a “named storm,” a windstorm, a flood, or something else under your insurance policy? And what occasioned the particular damage at issue in the insurance claim – wind, wind-driven rain, storm surge, or flood?

How the mechanism of loss is characterized has critical implications for insurance recovery. Policies commonly provide different amounts of available limits (and sub-limits) for different types of losses (e.g., State Farm Florida Ins. Co. v. Moody, considering policy that limited coverage for damage caused by “hurricane” but that did not limit coverage for damage caused by “tornado”). And in some cases, policies may not provide coverage at all for losses that occurred as a result of certain causes (e.g., In re Katrina Canal Breaches Litig., considering whether damage to property was caused by flood or by the negligent design and construction of levees; flood being an excluded peril under the policy, while negligent construction was covered). For example, a commercial property insurance policy may provide coverage for damage caused by wind or a named storm but exclude coverage for damage caused by flood (e.g., Bradley v. Allstate Ins. Co.).  Complicating this analysis, policies often contain overlapping ill-defined concepts of “flood” vs. “named storm.” One may question whether a storm surge resulting from a named storm is treated as part of the named storm or as a flood.

The net effect is that the scope and amount of coverage can vary dramatically depending on how the cause of loss is characterized up front to the carrier at the proof of loss stage – a critical juncture that is rarely straightforward and that usually benefits from thoughtful legal analysis. To hold carriers to their promises of disaster recovery, policyholders need to have a thorough understanding of the coverage provided under their policies, the relevant case law, and the mechanism or mechanisms that caused their loss. Properly determining the peril at the time of claim submission can allow a policyholder to achieve the benefit of its bargain with its carrier.

2. What if there is no physical damage to my property?

Assuming no physical damage to your insured premises, how does a business function without electricity, telephone, email or water service? Utility service interruption coverage (if purchased) indemnifies, for example, against loss due to lack of incoming electricity affected by damage from a covered cause (fire or named storm) to property away from the insured’s premises — usually the utility generating station. This type of insurance is commonly referred to as “off-premises power coverage.” Service interruption coverage is not standard, or even common but a policy could be endorsed to cover any of the following:

  • Water services – pumping stations and water mains.
  • Communications services – property used to supply telephone, radio, microwave or television services. Includes communication transmission lines, coaxial cables and microwave relays.
  • Power services – electricity, gas and steam, utility generating plants, switching stations, substations, transformers, and transmission lines. Typically the policyholder must elect either to include or exclude overhead transmission lines.

The value of goods, including raw goods under refrigeration, is often challenged by the carrier when presented for coverage. The issue is further complicated in large scale operations by several commonly found exclusions that limit the inherent risks associated with perishables, including mechanical defect, failure to maintain systems and consequential losses.

3. What if my loss resulted from both covered and non-covered events?

Given that property policies may provide coverage only for certain causes of loss, or may provide different amounts of coverage depending on the cause of loss (e.g., named storm vs. flood), a debatable issue often involves the extent to which a loss is covered when it is caused concurrently or sequentially by both covered and non-covered perils.

Some courts apply an “efficient proximate cause” test, under which a dominant cause is determined and coverage hinges upon whether that cause is covered, or alternatively whether the covered cause set the chain of events in motion. Other courts apply one of two “concurrent cause” analyses: (1) Some courts have ruled that when two causes combine to produce an indivisible loss, there is coverage as long as one of the causes was a covered peril under the policy, and (2) other courts have ruled that the policyholder bears the burden of differentiating damage attributable to covered and non-covered causes, and if the policyholder cannot meet that burden there is no coverage.

This analysis turns on the policy language as well. Insurers have sought to eliminate coverage in instances involving concurrent causes by incorporating “anti-concurrent causation” language in their policies that purports to bar coverage when an uncovered cause is involved in any way, whether directly or indirectly. For example, the policy may state: “We will not pay for loss or damage caused directly or indirectly by any of the following. Such loss or damage is excluded regardless of any other cause or event that contributes concurrently or in any sequence to the loss.” Some courts have enforced these anti-concurrent cause provisions while others have held that they are unenforceable, predominantly on public policy grounds. Where and how this language appears in the policy is also important and factors into how a court will view it. If the language is buried deep in a definition or an exclusion, for example, the situation might be distinguishable from existing case law.

For this reason it is important to review your endorsements at the time coverage is bound as well as analyze the policy exclusions that may be applicable to any loss to determine whether they are subject to anti-concurrent causation language.

4. How is storm surge different than wind?

After a catastrophic weather event in coastal areas, insurers and insureds frequently litigate whether property damage was caused by wind, on the one hand, or storm surge, on the other. Such litigation arises because property policies often cover damage caused by wind, while excluding coverage for damage caused by flood.

Courts considering such claims tend to characterize the peril of wind and the peril of storm surge separately. Courts have noted that storm surge is “little more than a synonym for a ‘tidal wave’ or wind-driven flood” and have held that damage from storm surge falls squarely within the bounds of flood exclusions, even where the flood exclusions do not expressly include the term “storm surge.” See, e.g., Leonard v. Nationwide Mut. Ins. Co.; Tuepker v. State Farm Fire & Cas. Co.; or Bilbe v. Belsom (“We have repeatedly held that the term ‘flood’ includes storm surges.”). By contrast, property policies generally cover damage caused solely by wind (i.e., wind that doesn’t interact with water). See e.g., Leonard; Tuepker v. State Farm Fire & Cas. Co.; or State Farm Florida Ins. Co. v. Moody (determining that insureds were not entitled to recover because hurricane spawned the tornado that caused the damage and hurricane sublimit applied).

Recovery may rise or fall based on whether the property damage at issue resulted from wind alone (for example, a structure was blown over by wind) or whether the damage resulted from storm surge (i.e., flooding caused by wind). Insureds who buy a master property policy are wise to keep the distinction between wind and storm surge—and the impact of such distinction—top of mind when considering coverage issues post-hurricane. Legal analysis of the wording of any coverage grants or exclusions and choosing a peril wisely must become part of the recovery planning implementation strategy businesses rely on to maximize the insurance claim.

Upcoming Event – Insurance for Cyber Risk – and the Disputes About Its Scope: The Good, the Bad, and the UglyBradley attorney Emily Ruzic will present “Insurance for Cyber Risk – and the Disputes About Its Scope: The Good, the Bad, and the Ugly” as part of DRI’s Cybersecurity and Data Privacy conference.

The event will discuss an overview of cyber threats that now include hacking, ransomware attacks, social engineering, and other schemes. The panel is presented by guest speakers Michael Carr of Brit Global Specialty USA and Anna M. Stafford of Travelers, and moderated by Bradley attorney Emily M. Ruzic.

When:  Thursday, September 6, 2018, 1:30PM – 2:15PM CDT

Where:  Lowes Chicago Hotel

What:  As insurance for cyber risks becomes increasingly common, so too do disagreements about the scope and application of the coverages available. This panel will examine underwriting and claims challenges, insurance coverage disputes, and regulatory pressures on financial and other institutions regarding cyber insurance.

For more information about the event, please review the conference agenda and register on the conference website.

We look forward to seeing you there!

Ponzi Coverage: A Unique Twist from ConnecticutKostin v. Pacific Indemnity is a recent federal decision from Connecticut denying insurance coverage that should be of particular interest to those impacted by a Ponzi scheme. In a coverage dispute arising out of the Madoff scandal, the court rejected the policyholder’s argument that Madoff’s misuse of funds constituted “wrongful entry” into her bank account and denied coverage for her clawback liability to the bankruptcy trustee.

The case is particularly interesting because it involves homeowners’ insurance, not the commercial crime or liability (D&O and E&O) policies often considered in coverage cases relating to Ponzi schemes. The insured, Susan Kostin, sought recovery under her family’s “Masterpiece” homeowner’s primary and excess liability policies. Kostin and her family lost millions from an account established to manage family assets, including principal and expected profits. The coverage dispute related specifically to a $3.75 million withdrawal clawed back by the bankruptcy trustee, plus $799,000 in attorneys’ fees and litigation costs spent on fighting to keep that money.

The court invoked several standard rules of policy construction, ultimately leading to its decision against coverage. The central question was whether the claims against Kostin included claims for “personal injury,” defined by the policies to include a legal obligation resulting from “wrongful entry or eviction.” This is a standard definition of “personal injury” seen in many different types of liability coverage. Here, Kostin saw a window of opportunity and made a creative argument: Madoff’s Ponzi entries into the account ledger were wrongful, so there should be “wrongful entry” coverage for Kostin’s liability to the trustee.

In the end, the court based its coverage denial on its distinction between two types of “wrongful entry”: unauthorized intrusions versus fraudulent accounting ledger entries. While “unauthorized intrusions” into accounts might be covered, the court held “fraudulent accounting” entries would not be covered. In creating that distinction, the court focused on the fact that “wrongful entry” is coupled with the term “eviction” in the policy’s definition of “personal injury.” Kostin never alleged that Madoff was operating the account without authorization, so the court found no “wrongful entry.”

The decision was appealed to the Second Circuit. That result on appeal could be important and significant to other Ponzi victims seeking coverage under the personal liability provisions offered by some homeowners’ insurance policies.

Two takeaways here: First, do not assume that coverage is unavailable for clawback liability for Ponzi schemes, even if homeowners’ coverage is the only available policy. Second, keep in mind that the underlying allegations almost always drive the threshold liability coverage decision, particularly as to the duty to defend. For Kostin, the result might have been different if the alleged basis for her liability had instead been Madoff’s use of personal financial information to gain unauthorized access to her bank account. That type of allegation might qualify as “wrongful entry” under the trial court’s analysis.

FFIEC Highlights Importance of Cyber InsuranceThe Federal Financial Institutions Examination Council (FFIEC) issued a joint statement in April emphasizing the need for companies in the financial sector to include cyber insurance in their risk management program. Although the FFIEC did not announce new regulatory requirements or expectations, the announcement is further evidence of what most businesses have already recognized: Cyber coverage is quickly becoming indispensable.

Among the points highlighted by the FFIEC:

  • Institutions face a variety of risks from cyber incidents, including risks resulting from fraud, data loss, and disruption of service.
  • Traditional insurance coverage may not cover cyber risk exposures.
  • Cyber insurance can be an effective tool for mitigating risk.
  • Insurance does not remove the need for an effective system of controls as the primary defense to cyber threats.
  • The cyber insurance marketplace is growing and evolving, requiring due diligence to determine what insurance products will meet an organization’s needs.

Although not specifically mentioned in the FFIEC statement, businesses should be aware that cyber coverage can be an important source of mitigating regulatory risk associated with data breaches – if the organization purchases a policy that provides regulatory coverage. Today, there are a number of insurers offering products that reimburse costs for investigating and responding to a regulatory investigation or enforcement proceeding, as well as provide coverage for administrative penalties. Given amplified scrutiny from regulators in the area of data security, the importance of such coverage continues to increase. With a rapidly changing market, institutions should carefully review policies to be sure that the scope and limitations of coverage match their exposure.

 

Republished with permission. This blog post was modified for the It Pays to Be Covered blog. The blog post originally appeared on Bradley’s Financial Services Perspectives blog on April 17, 2018.