Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Comments
5 Things to Know About Cyber Insurance
Newest First  |  Oldest First  |  Threaded View
Richard F.
50%
50%
Richard F.,
User Rank: Apprentice
8/16/2019 | 1:03:05 PM
Great Article - But There Are Dangerous Traps for Unwary
This is a very useful and timely article by a very knowledgible reporter who has done excellent work in this ever changing and confusing field.

Unfortunately there are often even greater surprises concealed within Cyber Insurance Policies and endorsements.

 

First, Cyber Insurance in NOT standardized.  These are "Manuscript" policies with each insurer using its own custom language and provisions.  The "meaning" of the language is NOT uniform.  The same provisions can be interpreted in contrasting ways in different federal circuits and state courts.  Whether your company has "collectible" insurance often depends on what state(s) you are located in.  Of course, that is unless a "Choice of Law" clause specifies the insurance law of a particular state, like New York.

Second, Cyber Insurance is often a "tower" of distinct layers and levels. That means there are separate insurers for different amounts of coverage.  Higher layers often mean foreign insurers with unexpected language and restrictions.  What you may think the Declarations page says you have in insurance is NOT necessarily what your company actually has.  

Third, "Insured" companies are frequently shocked to learn choice of law and arbitration clauses mean no litigation in local courts, no state judges familiar with their domestic insurance law, and no jury trials. Even when local state law appears to clearly prohibit arbitration, such as Louisiana etc., the New York Convention as a U. S. International Treaty overrides state law. That allows foreign insurers like Lloyds, Zurich, Swiss Re etc. to require arbitration in London, U.K., Hamilton, Bermuda etc.

Fourth, many American companies are unaware that where there are foreign insurers in an insurance tower, mandatory foreign arbitration is almost guaranteed. Typically that means any disputes will be decided by 3 arbitrators unfamiliar with technology issues, focused on contract language, sitting in London, and applying New York or English insurance law under the English Arbitration Act. If there is a "Nationality" clause, at least 2 of the 3 arbitrators will NOT be U.S. citizens, or well versed in U.S. state insurance laws.

Finally, "Insured" companies being required to make six figure deposits to simply start an arbitration are common. I have seen clients required to post USD $200,000.00 to file their Hurricane Katrina claims for each arbitration in London.  That meant separate individual arbitrations for each distinct insurer denying coverage. I won't even beging to address the joys of dealing with English High Court "Anti-Suit" injunctions prohibiting the "insured" from commencing or continuing U.S. litigation.

I have decided insurance coverage disputes as an arbitrator or Federal Court Special Master and also represented companies against insurers as policyholder counsel in arbitration and litigation. It is CRITICAL that any company purchasing Cyber coverage in any form read, know and ACTUALLY UNDERSTAND all of the policy language, every endorsement and every exclusion. That rrequires you do that for each separate layer of coverage.  If you see these common traps, negotiate them out!!!!  

Cooperation between the CIO, CFO and company insurance counsel is absolutely essential. Good Insurance Brokers try to help their customers. BUT customers need to remember that their Brokers business ultimately depends on remaining on good terms with those same insurance companies.

Richard Faulkner, J.D., LL.M., F.C.I.Arb.



Where Are the 'Great Exits' in the Data Security Market?
Dave Cole, Cofounder and CEO, Open Raven,  10/13/2020
Overcoming the Challenge of Shorter Certificate Lifespans
Mike Cooper, Founder & CEO of Revocent,  10/15/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-7747
PUBLISHED: 2020-10-20
This affects all versions of package lightning-server. It is possible to inject malicious JavaScript code as part of a session controller.
CVE-2020-7748
PUBLISHED: 2020-10-20
This affects the package @tsed/core before 5.65.7. This vulnerability relates to the deepExtend function which is used as part of the utils directory. Depending on if user input is provided, an attacker can overwrite and pollute the object prototype of a program.
CVE-2020-7749
PUBLISHED: 2020-10-20
This affects all versions of package osm-static-maps. User input given to the package is passed directly to a template without escaping ({{{ ... }}}). As such, it is possible for an attacker to inject arbitrary HTML/JS code and depending on the context. It will be outputted as an HTML on the page wh...
CVE-2020-5640
PUBLISHED: 2020-10-20
Local file inclusion vulnerability in OneThird CMS v1.96c and earlier allows a remote unauthenticated attacker to execute arbitrary code or obtain sensitive information via unspecified vectors.
CVE-2020-15256
PUBLISHED: 2020-10-19
A prototype pollution vulnerability has been found in `object-path` <= 0.11.4 affecting the `set()` method. The vulnerability is limited to the `includeInheritedProps` mode (if version >= 0.11.0 is used), which has to be explicitly enabled by creating a new instance of `object-path` and settin...