Saturday, April 08, 2006

PROGRAM: 21st Century Risks and Age-Old Insurance Clauses

Bill Denny led a very interesting program how businesses are responding (or, in many instances, not responding) to the risks arising out of participating in cyberspace.

Mike Rodman of Albert Risk Management Consultants spoke on his observations of businesses and how they interact with the need for cyber-insurance. He noted a number of risks that should be addressed in any useful policy, particularly noting the need to address what things are NOT covered in other policies such as CGL. He suggested that there is still a lack of belief in the need for these kinds of cyber-loss policies -- and that in his opinion businesses do that at a higher degree of risk than they believe.

Bill Denny spoke on traditional contract principles and how we have historically allocated risks in IT deals. He then recalled the traditional insurance policies that we might have been analyzing for our clients -- third-party liability policies including CGL and its cousin E&O to cover many traditional IP claims such as copyright infringement; and first party coverages such as property, automobile and the like. He reminded us of the differences between occurence policies versus claims-made policies. He also reminded us of how some policies provide defense, some do not, some will pay defense costs after the claim is actually paid out, some count defense costs against the policy limits while others do not. Bill also went over how much of the boilerplate provisions we frequently glaze over may be self-defeating of our purported intentions.

Margaret Reetz of Chicago discussed how the newer policies have been working out in practice, based on her practice representing insurers. She discussed concepts of how the cyber-policies provide coverage, and misconceptions that are out there.

Emily Freeman of JLT Risk Solutions of London discussed how so many of us will spend so much time negotiating the best indemnity clause ever written, and never take the time to wonder if the indemnifying party has any insurance to stand behind that indemnity. She reminded us again how 'useless' CGL policies will be to cover indemnified cyber-risks. She also reminded us of how little consistency there is between the various policies that fall into the so-called cyber-policies. Her strongest message was that we should never rely on just calling out the name of a policy (like "CyberInsurance") and assuming that any particular risks are covered. (Emily has a checklist she would be willing to offer that lists the various risks that we should be asking about.) Rather, we need to cite the specific risks that need to be covered. She discussed the methods that potential insureds will need to follow to get coverage, including the due diligence that insurers will do prior to writing coverage. (Getting coverage, and 'passing' due diligence by the underwriter, is itself a flag for customers of the insured parties. Failure to get insurance can be a red flag.) She also noted that those who rely on their vendors to be the sole source of potential assets to cover risks are potentially foolish. The sorts of claims involve actions that tend to harm many parties -- Imagine a privacy breach that causes thousands of consumers who have dozens of different banks, all of whom use a common financial data services provider. If that provider has a $5 million policy, there is not much left for the 2nd claimant after all 4 dozen of them suffer $5 million in damages. Those customer businesses will hope they had through to obtain their own policies.

No comments: