Understanding Cyber Insurance Clauses on Data Subprocessors

In the rapidly evolving landscape of cyber threats, businesses are increasingly turning to cyber insurance as a safety net against potential data breaches and cyber incidents. However, securing such insurance involves navigating a complex array of clauses, particularly those concerning the disclosure of data subprocessors. These clauses are critical, as they outline the responsibilities of the insurance seeker in revealing who they are passing data to and what type of data is being shared.

Key Clauses in Cyber Insurance Policies

1. Subprocessor Disclosure Requirement: This clause mandates that the insured party must provide a comprehensive list of all subprocessors involved in handling their data. This includes third-party vendors, cloud service providers, and any other entities that process, store, or transmit data on behalf of the insured.

2. Data Type and Sensitivity Specification: Insurers often require detailed information about the types of data being handled by these subprocessors. This can include personal identifiable information (PII), payment card information (PCI), health records, and other sensitive data categories.

3. Contractual Safeguards Verification: Policies may stipulate that the insured must have contracts in place with subprocessors that include specific security measures and data protection protocols. This ensures that subprocessors adhere to the same standards as the primary insured entity.

4. Notification and Approval: Some policies require the insured to notify the insurer of any new subprocessors and seek approval before engaging their services. This helps insurers assess the risk associated with new vendors and ensure compliance with the policy terms.

5. Regular Audits and Assessments: Insurers might include clauses that oblige the insured to conduct regular audits and security assessments of their subprocessors. This ongoing vigilance is crucial in maintaining the integrity of the data protection practices.

Consequences of Non-Disclosure

Failure to accurately disclose data subprocessors and the nature of the data being handled can have severe repercussions. Non-compliance with these clauses can lead to the denial of claims in the event of a cyber incident. Insurers may argue that the risk assessment was based on incomplete or inaccurate information, thereby invalidating the coverage. This can leave businesses exposed to significant financial losses and reputational damage.

Examples of Lengthy Payout Negotiations

Publicly known cases illustrate the challenges of securing insurance payouts following cyber incidents:

1. Target (2013): The retail giant faced a massive data breach affecting over 40 million credit and debit card accounts. While Target had cyber insurance, the payout process was protracted, involving extensive negotiations over coverage details, including subcontractor disclosures.

2. Anthem Inc. (2015): This health insurance company suffered a breach compromising personal information of nearly 80 million individuals. The complexity of the breach, including the involvement of various data subprocessors, led to drawn-out discussions with insurers before a significant payout was secured.

3. Marriott International (2018): The hotel chain experienced a breach impacting approximately 500 million guests. The intricacies of their data processing arrangements and the involvement of multiple subprocessors delayed the insurance settlement process.

Board Responsibilities

Ensuring accurate representation in cyber insurance applications is fundamentally a board-level responsibility. The board must oversee the establishment of robust processes for identifying and disclosing all subprocessors. This includes:

- Implementing Thorough Vetting Procedures: Boards should ensure that the company has rigorous vetting processes for selecting subprocessors, including security assessments and compliance checks.

- Maintaining Accurate Records: Keeping detailed records of all subprocessors and the nature of the data shared with them is crucial.

- Ensuring Contractual Compliance: Boards must verify that contracts with subprocessors include necessary security clauses and are regularly reviewed.

- Regular Reviews and Updates: Given the dynamic nature of cyber threats and business operations, regular reviews and updates of the disclosed information are essential.

By fulfilling these responsibilities, boards not only safeguard the company’s interests but also position it favorably to secure appropriate compensation in the event of a cyber incident.

Conclusion

Navigating the intricacies of cyber insurance requires meticulous attention to the disclosure of data subprocessors. Non-compliance can jeopardize insurance claims, leading to prolonged negotiations and potential financial fallout. It is incumbent upon company boards to ensure that their organizations represent themselves accurately and comprehensively, thereby maximizing their chances of receiving compensation should a cyber incident occur.