The case at hand pits insurer Zurich American against its client Sony: Zurich has refused to cover the costs of class-action lawsuits stemming from Sony’s embarrassing breaches, and wants the courts to weigh in with a judgment to clarify the matter.
“There are probably still some risk managers out there that think that their comprehensive general liability policy cover breaches,” says Sagalow, who was one of the main experts in charge of first drafting cyberinsurance policies for Zurich when he worked for the company prior to starting his own consulting shop. “These types of cyberevents are not covered in the typical standard forms of insurance.”
Sagalow says that as cyber-risks increase in sophistication and pervasiveness, organizations need to think about adding additional coverage that can hold up to court scrutiny when everything hits the fan. But because cyberinsurance is such a new phenomenon, it’s a buyer-beware situation.
“Unlike many insurance policies that companies buy, there is no standard form — it’s not like comprehensive general liability or workman’s comp or fleet auto — cyber is not standard,” Sagalow says. “Plus, it is in an area which is called surplus insurance, meaning that they’re not subject to state filing regulations for state approval, which allows freedom of an insurance carrier to set terms and conditions.”