The Method of Compensation
Does the written policy wording include language such as “the insurer will pay on behalf of the insured” or “the insurer will reimburse the insured”? In the former case, the insurer would assume the covered expenses incurred up front (subject to the deductible, if any), whereas in the latter case, the insured would have to pay the expenses and then seek reimbursement from the insurer. However, for some coverage, only one method of reimbursement may apply; this is the case, for example, with business interruption insurance. As far as civil liability is concerned, it must be clearly stated that the insurer will take over the defence of the insured in the event of a claim seeking liability. This prevents the insured from having to pay defence costs and thus jeopardize his liquidity. In Quebec, however, the question does not arise since the Civil Code provides that insurers are required to take up the defence of any person entitled to the benefit of the insurance and to assume the defence in any action against him. It is also provided that defence costs are to be borne by the insurer, in addition to the coverage limit.
Types of Information
Does the insurance policy only cover personal information or does it also cover business information? Cyber risk insurance policies provide coverage to protect personal information, i.e. information that is not accessible to the general public, such as health information, identity information, financial information or any other personal information as defined by the Personal Information Protection and Electronic Documents Act (PIPEDA). However, some policies offer broader coverage by extending protection to confidential or proprietary business information. These policies generally specify that the insured must hold such information in accordance with an agreement with the company in question. In addition, the wording should make it clear that the coverage of business information is not limited to electronic data, and therefore covers information in any form.
It is often and falsely believed that breaches of network privacy and security are solely the work of external factors such as hackers. In reality, the problem often comes from within: human error, a computer system failure… or a malicious employee. An organization’s employees represent a significant risk because they have access to the computer system and are familiar with the data stored on it and the controls and procedures designed to protect it. One need only to think of the theft of Desjardins client data by an employee, which recently made the headlines. In addition, an employer can be held liable for a breach of privacy or data security due to the actions of its employees.
How would you know if a cyber-risk insurance policy provides coverage for malicious employees? Since the intent of this insurance product is not to cover claims resulting from an attack by the insured himself, it is normal to find exclusion for dishonest, criminal or fraudulent acts committed by an insured. However, under the policy, an employee of the insured is considered to be an “insured”. It is therefore important that the wording of the policy provide for certain exceptions to the application of this exclusion: first, for defence costs until such time as the guilt of the insured/employee for his or her dishonest, criminal or fraudulent conduct has been established by a final judgment or decision; and second, for “innocent” insureds, i.e., those who are neither perpetrators nor accomplices of the conduct in question.
Over the course of the past several months, we have discussed the coverage provided by cyber risk insurance policies in a number of ways. But what happens when a breach occurs? How will the insurer intervene? This is the subject we will address in our next column.