Cyber Liability Policies and the Anthem Breach

In light of the most recent high profile data breach with Anthem, it is probably a good time to revisit the Cyber Liability policy and what implications for coverage there may be. Let’s consider a hypothetical manufacturer, ABC Company, which carries Cyber Liability and uses Anthem for their health plan (it does not matter if it is fully-funded or self-funded). After the breach, the executives at ABC Company will be trying to decide if they are liable in any capacity.

In order to understand this, we need to understand who sustained the loss. In a vast majority of Cyber Liability policies, the loss must occur on the insured’s computer network. Travelers defines this as a “computer system rented by, owned by, leased by, licensed to, or under the direct operational control, of the insured organization”. The Anthem breach occurred on the Anthem computer system and not that of their clients (such as ABC Company). As such, Anthem has been very vocal that they are responsible for the expenses associated with notification and communication. They are also picking up the credit monitoring for up to 2 years (as opposed to the normal 1 year stated in most insurance agreements).

Does this mean that ABC Company should move on without worrying about reporting this potential loss to their carriers? NO! With regard to all Executive Risk policies like Cyber Liability, it is better to take a cautious, even conservative, approach and report anything that may arise to a claim. With the legal environment around data breaches being relatively young, it is hard to anticipate when and if a lawsuit will be filed – and in this case, against whom. Depending on the type of loss and circumstances, there is the potential for coverage under the Director’s & Officer’s Liability, Employment Practices Liability, or even Professional Liability. Many carriers have added small or incidental limits to help with claims for negligence or wrongful acts on these non-Cyber lines.

The other reason to report potential losses, even if you are unsure if they could become a claim, is to avoid penalties or declinations for late reporting. Many carriers have wording within the insurance contract limiting the timeline in which a claim can be reported. Even if something didn’t seem like a claim when it first occurred, it is important to report that incident to avoid any confusion. Carriers generally see this as a favorable risk mitigation practice and won’t penalize their client for being proactive.

At minimum, these types of high profile breaches should be a good reason to have a conversation with your broker. Use it to develop an understanding of the exposure and the products available as they are changing all the time. Electronic theft is not going to decrease, but rather continue to increase exponentially. As it does, mitigating the risk will become a larger and larger part of your insurance program and more importantly, how you approach your business.

Linkedin Facebook Twitter Email
, ,

No comments yet.

Leave a Reply

Time limit is exhausted. Please reload the CAPTCHA.