Cyber Liability Insurance: What Is It and How Do I Keep It?

The type and amount of coverage provided can depend upon whether an applicant for the insurance has a HIPAA compliance program in place.

Insurance, in general, is heavily regulated at the state and federal levels. For example, the underwriting for traditional insurance, such as health insurance, has a fairly standard format. Existing law dictates what restrictions insurers may and may not impose on coverage. For example, the Patient Protection and Affordable Care Act (ACA), applicable to most group health plans, requires that such plans offer specific benefits and restricts insurance practices such as using pre-existing conditions to deny coverage.

Cyber liability insurance has no format. While several insurers with name recognition in other sectors, including ACE Group, Chubb, Beazley, CNA, Travelers, and Liberty Mutual, offer cyber liability insurance (CLI), what a potential policyholder must do to be eligible for the insurance, and in what amount, varies among insurers.

Before issuing a policy, underwriters will seek documentation of a potential insured’s security posture. The carrier typically seeks this information as part of a questionnaire. If a potential insured can document that it has a robust security program in place, the carrier is more likely to offer the insured a policy than would be the case if the documentation revealed a weak security posture.

So, what do cyber liability insurance questionnaires ask for? Whether a business is compliant with specific data privacy frameworks, regulations, and laws, including HIPAA.

The International Association of Privacy Professionals (IAPP) recently posted the cyber liability insurance applications of three prominent insurers: ACE; Philadelphia Insurance Companies (PHLY), and United States Liability Insurance Co., Inc (USLI).

Part 3 of ACE’s application asks:

“Is your company compliant with any of the following regulatory or compliance frameworks (please check all that apply and indicate most recent date of compliance):

☐ ISO17999 as of (date)

☐ SOX as of (date)

☐ PCI-DSS as of (date)

☐ HITECH as of (date)

☐ HIPAA as of (date)

☐ GLBA as of (date)

☐ SSAE-16 as of (date)

☐ FISMA as of (date)

☐ Other. ______”

Part 5 asks, “Do your third-party technology service providers meet required regulatory requirements that are required by your company (e.g., PCI-DSS, HIPAA, SOX, etc.)?

☐Yes

☐No.”

Part 4 asks: “Does the company have a formal risk assessment process that identifies critical assets, threats, and vulnerabilities?”

On the PHLY application, Question 1 of “Section 5, Privacy Controls” asks: “Have you achieved compliance with the following (check all that apply): PCI-DSS (Payment Card Industry Data Security Standard), Gramm-Leach-Bliley Act (GLBA), and HIPAA?”  For each question, the user is prompted to answer “Yes,” “No,” or “N/A.”

Question 3 of USLI’s “Risk Background” section asks, “3. Please list the regulatory or compliance frameworks you are compliant with (such as HIPAA, HITECH, PCI-DSS, SOX, etc.):”

Each carrier can seek documentation of compliance with HIPAA. The most common form of documentation requested and submitted is the results of a recent security risk analysis. A HIPAA Security Risk Analysis requires HIPAA covered entities and business associates to “Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity or business associate.”

Read Your Policy

When a policy is issued, the policy language will state the insured’s requirements for coverage to remain in effect. Suppose the policy requires a business to be HIPAA compliant at all times. In that case, the defense of “I didn’t know I was supposed to be HIPAA compliant” is no defense at all – coverage for a cyber incident can be denied. The failure of this defense highlights an important legal concept: the law may not require someone to act, but once the person takes action, they must take on the responsibilities that flow from taking action.

As of 2022, no state or federal law requires a business to purchase cyber liability insurance. But, given the numerous types of cyberattacks to which a business is vulnerable and the rising costs of these attacks, having this insurance on hand can generate customer trust and goodwill, not to mention potentially saving a business from financial ruin.

Although the law does not require purchase of a policy, once a business applies for and purchases the policy, the business must comply with the application instructions and policy terms. This compliance might require the company to do something it was under no obligation to do had it not purchased the insurance. If HIPAA compliance is required to purchase and maintain a policy, the policyholder must comply to maintain coverage. While HIPAA applies to covered entities and business associates, a business that is neither one of these that voluntarily agrees to comply with HIPAA to maintain insurance must honor that agreement. If the business fails to, it is not HHS that will come after the business. Instead, the business has breached the contract – and the insurer can cancel the contract as a result, regardless of whether HIPAA actually applied to the business. The obligation to enter the contract is voluntary; if you don’t want to incur additional legal responsibilities, your remedy is to not agree in the first place.

Why Can an Insurer Cancel My Coverage?

If an insured falsely states during the questionnaire process, or once it is covered, that it has a HIPAA compliance program in place, and a policy is issued (or renewed) based on these, the insured has committed misrepresentation. Misrepresentation of this one item is grounds for exclusion of coverage, denial of coverage, and/or cancellation of the entire policy.  If an insured does not actually have a HIPAA compliance program in place when a potentially covered incident takes place, the insurer can exclude or disclaim coverage. To exclude coverage is to deny it outright. To disclaim coverage is to state that the coverage exists, but the insured failed to comply with a condition required for the coverage to kick in. An insured that misrepresents its HIPAA compliance status can also have its policy canceled outright: misrepresentation is a breach that entitles an insurer to terminate an agreement.

Many factors must be considered before purchasing cyber liability insurance. Once you apply and once you buy, though, there is one constant obligation: to read what you are signing, to mean what you say, and to be able to back up your words with documentation.  This will keep your data – and your reputation – safe.