This post was written by Amy S. Mushahwar and J. Andrew Moss.
If your team is in the process of negotiating and purchasing security and data privacy event liability insurance (“cyberliability” coverage), think carefully before signing any technical due diligence representations or warranties that are typically requested in connection with the insurance application. Oftentimes, this detailed privacy compliance document is presented to an IT or Security Group with very little input from the company’s legal team. This is an area where the lawyers need to be acting in concert with IT and/or Security, not only because the information communicated to the insurer’s underwriter likely will not be privileged (and thus could be disclosed in litigation), but also because errors or misstatements in the application, even if innocent, may give rise to an insurance coverage dispute in the event of a claim. Reviewing the completed insurance application with the assistance of counsel before submission to the underwriter may help to avoid problems down the road. For example, one of our clients discovered in the process of applying for cyberliability coverage that it was representing having in place full, up-to-date system-patching across the enterprise. In most organizations, however, full system-patching is not feasible or even advisable, given customized software suites, new version software bugs, or other software/hardware specific compatibility issues. By having its legal and technical teams work in concert, our client was able to correct this representation prior to disclosure and provide the underwriter with its system-patch management policy showing flexibility to conduct patch analysis, which in the event of a breach or claim could have unnecessarily compromised the company’s ability to recover under its insurance policy.