An Ironshore Cyber Policy--Part III

I should have mentioned this point before, but the policy is not typical of at least some other important cyber policies, or--more accurately--other groups of cyber policies. (There is just too much in this one to be typical of the simpler or narrower ones.  Several simple ones have been blogged earlier in this blog string.)

Remember: This Blog is organized around insuring agreements, definitions and exclusions. Conditions, etc., may be remarked upon briefly, but they often resemble not only each other but those found in currently existing policies.

__________________________________________________________________________________

TechDefender

Tech E&O, Network Security, Internet Media and MPL Insurance Policy 

 

Insuring Agreement: I.B Network Security Liability Coverage

_________________________________________________________________________________



This part will focus on the Insurance Agreement to be found in I.B.  It is entitled Network Security Liability Coverage.  The phrase Network Security and Network Security Wrongful Act have already been sketched in Part II.

The difference between I.A and I.B is that the word Insured plays a key role in the insurance agreement.  What is crucial in I.A is that it covers only Individual Director[s] or Officer[s] and not the Company.  I.B covers both the individuals and the Company and other Individual Insureds. The third category of insured includes:

• certain past, present, or future employees acting within their scopes of employment and/or their "functional equivalents," [The idea of future employees having liability is entreating.]
• an independent contractor working for the Company (on its behalf and for its "benefit") and committing a Wrongful Action while within the scope of his retention, which must be in writing.

Thus, this is not a "Side Excess" policy, and so individuals who are directors or officer (or both) do not have as much coverage.

As yourself whether the responsibilities of an Insurer to provide a defense for its Insured is the same as in I.A.

Keep in mind, there is a duty to defend. There is a separate section in which the duty to defend liability cases is set forth.  This fact may be confusing even to the more experienced reader.  The reason is that the duty to defend it usually set forth in the insuring agreement section of a policy. Here the opposite is true.  That duty  gets its own section,  The insurer's duty to defend in this policy may be weaker than in many so-called real "world policy."  Most policies of the so-called "real world" require a liability insurer to defend its insured if the plaintiff's pleading states--or, probably in many jurisdictions, sketches  a covered claim; it does not require that the claim actually be covered.  The plaintiff (and possible victim) can be wrong about what is asserted in the pleading or even lying, and there still be a duty to defend. The liability sections of this policy don't appear to say that.  It at least appears that the claim must actually be covered.  I don't see how that can be true, but if I have understood the language, that is what is says.



Almost certainly I.B can be removed by endorsement.

An Ironshore Cyber Policy--Part II

  TechDefender

Tech E&O, Network Security, Internet Media and MPL Insurance Policy 

 First Insuring Agreement: #I.A

Individual Officer or Director Insurance

I have already explained in the Part One, the first several words.  Now I turn to the real unadulterated cyber content of the first Insuring Agreement.  Remember, this is very sketchy.  Only a few phrases will be quoted here; only a few definitions will be spelled out, and some sections will be skipped entirely or almost completely. The main focus is on the "Insuring Agreements," the Definitions, and the Exclusions.  Subtitles and Definitions will be in bold, since that is how they are in the text.

This section pertains to the first Insuring Agreement. It is a liability section, as opposed to a first-party section. Roughly speaking, it insures against Losses resulting from covered Claims against covered individual persons (see Part I) for wrongful acts (WA) falling in either of two categories, Privacy Wrongful Act (PWA) or a Network Security Wrongful Act (NSWA).

"WA" is a frequently used term combined with one or more other phrases to focus on a type of category within which there can be a WA.  In I.A there are two categories already mentioned.

WA involves the idea of negligence, but that is not all it includes. WA means "any actual or alleged act, unintentional error, omission, neglect, or breach of duty by. . . the coming  two WA types: Insured or a Service Provider that that results in a Privacy Incident. 

The idea of a Privacy Incident seems obvious enough, for now as is the idea of a non-owned company providing typical cyber services to the Insured.  [Remember: each of these definitions has other definitions built into them. Notice that it appears that at least some intentional acts are included within the definitions of WA.]  The idea of privacy pertains to data regarding matters people and/or companies don't want disclosed or made public, and a Privacy Incident is an event like that resulting from a PWA.  (More details about the concept of Privacy Incident will be set forth in Part IV.)

The idea of NSW is well known in in parts, but it is more complex. Under this definition the following are included, and the insuring agreement covers losses directly caused by WA's in one or more of the following:

• thefts, corruption, or deletion of Electronic Data from the Company's Computer System, unless it comes from the outside and that is not the company's fault [e.g., hacking?];
• Unauthorized Accessed or Unauthorized Use of the Company's Computer System;
• denial of Authorized Use, unless unintended breakdown;
• Company's Computer System in some sort of attack on another system;
• transmission of Malicious Code to another system.  Further insured injuries may result [There has been some controversy about whether CGL policies cover injuries to software since it, is in part a physical object, i.e., something tangible that may suffer physical loss and loss of use.

Exclusions exceed 50 in number, counting the sub-parts, and 25 if the sub-parts are not counted.  Most of them are, to some degree or other, analogous to exclusions found in so-called "real world" policies.

Significantly there may or may not be  a duty to defend, provide a defense, pay for a defense, pay on behalf of a defense for an Insured.  Although the language is not completely clear, it seem likely that the duty to defend hinges, more or less, on the so-called "Eight Corners" Rule.  Then there is a duty to defend, the insurer "runs" the defense show and pays for it along the way. That is not always true in D & 0 policies, and it does not appear to be true in this policy on all occasions.  In any case, for this and other reasons,  the reader of this policy must be careful about several distinguishable phrases, "will pay," "will indemnity," and "will pay in behalf of."  The last one is particular tricky when it actually says "will pay on behalf of Insured all Loss . . . that the Insured is legally obligated to pay."  This language may not provide the same coverage across the board.  Why else would there be different phrases.

With regard to the duty to defend, there is a particularly puzzling phraseology. Here it is: more or less:  "The Insurer will pay on behalf of. . . all Loss. . . which the. . .becomes legally obligated as damages."  (The omissions are to leave room for different conceptions of who or what is an insured.  And the word Loss includes Damages.)  One problem in this coverage is that many insureds are not legally obligated to defend themselves; and, of two defendants, one may not only be not legally required to defend itself, but it may not be legally required to defend its codefendant(s).

This problem is one of appearance only.  There is a separate section in which the duty to defend liability cases is set forth.  This fact may be confusing even to the more experienced reader.  The reason is that the duty to defend it usually set forth in the insuring agreement section of a policy. Here the opposite is true.  That duty  gets its own section,  The insurer's duty to defend in this policy may be weaker than in many so-called real "world policy."  Most policies of the so-called "real world" require a liability insurer to defend its insured if the plaintiff's pleading states--or, probably in many jurisdictions, sketches  a covered claim; it does not require that the claim actually be covered.  The plaintiff (and possible victim) can be wrong about what is asserted in the pleading or even lying, and there still be a duty to defend. The liability sections of this policy don't appear to say that.  It at least appears that the claim must actually be covered.  I don't see how that can be true, but if I have understood the language, that is what is says.

Of course, with so many newly defined words, there will be controversy over what is meant.  However, there is at least one which is often in dispute here in the real world.  The policy often says that it covers "direct" losses, meaning that the loss must be "directly" covered by a covered cause.  The meaning of "directly" is subject to controversy.

What is direct as opposed to indirect?

An Ironshore Cyber Policy--Part #1

Michael Sean Quinn, Ph.D, J.D., Etc.

1300 West Lynn #208

Austin, Texas 78703

(o) 512-296-2594

(c) 512-656-0503

mquinn@msqlaw.com

TechDefender

Tech E&O, Network Security, Internet Media and MPL Insurance Policy 

Part One (i):  Introduction

In previous parsing of cyber policies, I have tried to do whole policies all at once. That approach won't work for this policy; it may have been a bad idea as all times and across the board. With regard to this policy, I am going to divide it up, so that the individual blogs are much, much shorter. The attempt will be to do, where possible, one insuring agreement per part. In addition, there will be not attempt to spell out in detail each relevant provision: insuring agreement, definition, condition, and/or what have you. This may lead to subtleties being left out and/or other errors, but I will probably come pretty close

I will include one small  substantive thing in this introductory section.  It is a concept taken over from standard, tangible Director & Officer policies, and since the D&O insuring agreement in this policy comes first in the discussions--it is, after all, the A insuring agreement--that order makes sense, at least for now.

This Ironshore contract of insurance is a complex--very complicated--blanket cyber policy concentrating mainly on liability insurance. It contains 11 different insuring agreements (A-K), 60 "primary" definitions and a great many "included" definitions" (A-LLL).  All the insuring agreements contained at least one primary definition, and many of the primary definitions are to be found in more one.  Many of the definition parts, at least, are really exclusions in disguise, though courts do not pay attention to that obvious truth. 

In addition, there are 22 exclusions, some containing subparts, some of which take more than half a page, and--of course--almost all of them use at least one of the definitions.

Taken as a whole, the policy is 34 pages long. The application takes up 13 pages, and it becomes part of the policy. 

*******************************************************************************

 Part One (ii): Close to an Introduction

Preliminary Observation Regarding Insuring Agreement I.A

Insuring Agreement: "SIDE A" D&O LIABILITY COVERAGE

"Side A" is the first phrase in the first insurance agreement.  Many readers will not recognize it, so let's start there.  The locution "Side A" is not the same as the designation of Insuring Agreement I.A.

So, what is "Side A"?  The directors of corporations won't serve without some sort of protection from liability.  The same thing is true for "senior" officers, e.g., CEO, COO, some VIPs--roughly, whoever is named in the bylaws of the company as an officer: "Big Deal Administrators Capable of Large Decisions." 

Such protection--indemnify protection--can be provided by the entities themselves. Then again, consider Enron. Nobody wants that.

Or consider what might happen if the company went bankrupt.  The directors and perhaps the officers might  get dragged into the pit. Consider the failure of Dewey LaBoeuf.

Now consider a financial liability policy on the corporation, as well as the directors and officers. In this situation the company might take care of its self and throw the directors and officers "under the bus," as they say.

It's better for the directors and officers to have their own policy, and its better for there to be separate policy limits for each of them built into the same policy. These policies are called "Side A" policies. They are called excess policies because they quite often stand above other policies and funds. If the company can pay on behalf of a director, the Side A policy is never triggered. If the insurance on both the company the individual directors and   officers pays, then the directors and officers are protected. Only when neither the company itself nor the insurance policy covering  the company, the directors and the officers can pay all owed is the insurance that directly covers only the directors and officers, i.e., the Side A policy, ever triggered. Only if the underlying policies cannot pay will the Side Excess policy step up to the plate.

Of course, there is always the possibility--even if--it is extremely unlikely and not the sort of thing normal business persons and insurance underwriters would ever think will occur.  This would happen when neither the company nor the "together-we-stand D&O policy" actually has coverage. Maybe the individualized Side A policy would provide coverage.  If so, then the Side A policy wouldn't be just an excess policy but an umbrella policy as well.

Make sure you have read the immediately preceding blog in "Wrongful Acts, Claims, and Responses."

Now for some cyber insurance policy discussion focusing on one very complex policy.  It will involve at least 12 parts, all keyed to different insuring agreements.