NEW YORK–Company boards have perked up their collective ears on the subject of cyber-related physical damage and business interruption, according to panelists at Advisen’s Property Insights Conference on June 4.
Boards used to spend “10 minutes a year on cyber,” said Peter Rosen, partner at Latham & Watkins.
But cyber attacks like the one at Home Depot last year have gotten the attention of directors, officers and executives everywhere. The data breach exposing about 56 million payment cards was the largest retail breach of its kind ever.
“Wynn prevailed in a shareholder suit in part because they discussed cyber 14 times in two years,” Rosen said of the derivative lawsuit dismissed last year against the hotelier over a cyber attack.
A shareholder, Dennis Palkon, filed suit against members of Wyndham’s board after three high-profile data breaches in 2008-2010 compromised the personal information of more than 600,000 customers. The board had voted not to pursue a fiduciary duty lawsuit against company directors and officers over the alleged inadequate cybersecurity and deficient public disclosures about the breaches.
“We weren’t addressing cyber at the last conference,” said Nadine Silva, EVP and property division executive at Lexington Insurance Company. “The interest of buyers has mushroomed.”
Coverage is often cobbled together by combining traditional cyber/business-interruption policies with property policies that are themselves triggered by physical damage, said Chris Keegan, senior managing director and cyber and technology national practice leader at Beecher Carlson.
Excess DIC (difference in condition) policies, cyber programs without the Clause CL380 exclusion for damage caused by IT systems, and standalone policies, such as loss-of-data and extortion, are all used to provide a safety net.
The extent to which they can be used to fill the gaps in the event of data loss “is the question,” Keegan said.
The hole that often remains, even when policies are combined, is when the data loss has a physical cause.
“Many property policies have a data-loss exclusion, and cyber policies cover causes that are not physical,” he said.
Keegan added that the application process for cyber-related physical damage has evolved from one requiring a form to be filled out a few years ago, to one involving audits—and even ongoing supervision–for limits above a certain amount.
“There are $200 to $300 million coverages in standalones, but tied back to companies watching you on a day-to-day basis,” he said. Companies needed to decide if they were comfortable with such intrusiveness.