Page 13 - Cybersecurity
P. 13

NYLJ.COM |
Cybersecurity | MONDAY, JUNE 5, 2017 | S13
Westworld
« Continued from page S2
Based on the bare language of the insur- ing agreement, a CGL policy should provide insurance coverage for “bodily injury” or “property damage” caused by an AI-enabled device or robot to a third-party. If an insurer wants to limit this coverage, the burden is on it to prove that an exclusion in the policy applies. While an insurer could argue that one of the standard GCL exclusions applies, currently there are no AI related exclusions for “bodily injury” or property damage.”
AI-enabled devices and robots are also permeating the professional world and per- forming roles once reserved for humans. As these entities increasingly provide services traditionally performed by humans, includ- ing medical and legal services, companies could face professional negligence claims that
To maximize the available insurance coverage for AI re- lated losses, a company should review and understand how and for what purposes it uses AI technology.
arise out of their reliance on AI technology. As a result, companies should consider their Errors and Omissions (E&O) insurance. E&O insurance, often referred to as malpractice insurance, is intended to insure against liabil- ity arising out of an act, error, or omission of the insured in rendering or failing to render services. While there is no “standard” wording for E&O coverage, most E&O policies pro- vide insurance for judgments, settlements and defense costs arising from professional liability claims of negligence, misrepresenta- tion, violation of good faith and fair dealing, and inaccurate advice. 7A Couch on Insurance (Third) §103.3 (2013).
Specialized E&O policies are also avail- able for technology-related professional liability claims. Tech E&O polices, while varying greatly in form, generally provide coverage to tech providers for losses result- ing from technology services, technology products, and network security breaches. As AI agents and robots perform progres- sively more autonomous professional ser- vices, an increase in specialized E&O poli- cies and insurance products is likely. For example, Lexington Insurance, a subsidiary of American International Group, recently introduced “Robotics Shield,” a policy suite that combines “general liability and prod-
uct liability insurance, robotics errors and omissions insurance, and specialized risk management, all specifically tailored to the robotics industry.” Based on the prolifera- tion of specialized cyber policies in the last decade, Robotics Shield is probably the first of many policy forms that will address AI and robotics.
AI-enabled devices and robots could also perform autonomous cyber actions against others, including an insured’s own company, a client, or an anonymous third-party. Compa- nies face considerable hurdles to obtain cov- erage for third-party cyber claims under the CGL policy. Since 2014 standard CGL policy forms exclude coverage for “bodily injury” arising out of a data breach. In addition, insur- ers have taken pains to draft language that data breaches and loss do not constitute property damage. For example, in 2001 the Insurance Services Office (ISO) amended its CGL policy form to clarify that “electronic data is not tangible property.”
The CGL policy also provides defense and indemnity coverage for claims against an insured alleging “personal and advertising injury.” There has been limited and divergent case law on whether losses from cyber securi- ty events are covered under the “personal and advertising injury” clause of the CGL policy. See, e.g., Zurich Am. Ins. v. Sony Corp. of Am., No. 651982/2011 (N.Y. Sup. Ct. Feb. 21, 2014) (while a hackers’ theft of confidential data on tens of millions of Sony PlayStation users con- stituted a publication of private information, the claim was not covered because the cyber information was published by the hacker, not the insured); Travelers Indem. Co. of Am. v. Portal Health Solutions, No. 14-1944 (4th Cir. April 11, 2016) (a computer server failure that resulted in the disclosure of medical records was a “publication” and the insurer had a duty to defend under the personal and advertising injury coverage provision). In part because of these limitations in the CGL policy, there are now a wide range of specialized cyber policies that purport to cover data breaches and cyber events. Therefore, if a company has purchased a cyber policy it should review for potential coverage if an AI-related cyber loss occurs.
To maximize the available insurance cover- age for AI related losses, a company should review and understand how and for what purposes it uses AI technology. In combina- tion with this review, insureds should review what risks and claims they currently do or could suffer. Insureds should also re-view their CGL, E&O, and any specialized tech E&O and cyber policies. And, perhaps most importantly with any emerging technology, companies should not make any assumptions about what is covered under their policies, let alone assume that an insurer is right in disputing coverage.
DFS
« Continued from page S9
insurers also are able to better price cyber insurance policies and anticipate likely claims.
Ensure Policies Are Properly Structured
You make a telephone call and find out that you have a cybersecurity policy in place. You can rest easy, right? Unfortunately, cyber insurance policy forms are largely untested in the courts. Many companies are using sophis- ticated policyholder counsel to review policy forms on a flat fee basis to look for gaps in coverage. Armed with information regarding your main risks, your insurance broker and counsel can help you avoid problematic lan- guage that might create gaps in coverage.
All insurance policies have exclusions, but all policies are not identical. In many instances, insurance companies may be will- ing to modify or eliminate exclusions. For example, one should avoid exclusions with prefatory language like “based upon, arising out of, or in any way relating to.” Insurers com- monly assert exclusions with this language broader than what was intended. Further, some cyber insurance policies contain an encryption exclusion barring coverage for loss resulting from unencrypted devices. Unless you know your employees do not use unencrypted devices (at home or in the workplace), such exclusions could be a sig- nificant coverage restriction. Finally, some policies contain exclusions for loss caused by “any governmental or public authority.” With attacks by governmental entities becom- ing more prevalent, these exclusions should be avoided.
Other terms and conditions also need to be considered. For example, there may be limitations hidden in the “Definitions” section of the policy. Moreover, one should beware of sub-limits. Although insurers sometimes market these sub-limits as benefits, in many
instances these limits actually reduce the amount of coverage that may otherwise be available.
The differences in policy forms often are subtle. But these subtle differences can have huge ramifications on coverage. Therefore, it is all the more important to work with expe- rienced professionals who can identify gaps or limitations in coverage.
Have a Plan in Place
Prepared companies understand they need to have a plan before a loss takes place. Already, many companies have retained a SWAT team—consisting of a cyber coach, attorneys, forensic accountants, and engi- neers—to take action in the event of a breach. Insurance needs to be part of the plan.
In the aftermath of a breach or a loss, you should have coverage counsel in place that will assess which insurance policies may respond, provide notice to applicable insurers as required under the policies, and document corporate losses in a manner that is likely to be paid. With a small investment on the front end, experienced coverage counsel can help you avoid likely traps that can result in litigation or a total loss of coverage. The worst case scenario is both to have a cyber loss and fail to properly access and maximize your insurance.
Conclusion
The DFS cybersecurity regulations give every business the opportunity to assess its cybersecurity. Regardless of prepared- ness, however, no company is immune from an attack. In the words of former FBI Director Robert Mueller: “There are only two types of companies: those that have been hacked, and those that will be.” As covered business- es work to meet the deadlines of the new cybersecurity regulations, they also should consider whether they have taken steps to secure insurance that will protect them.
Your hiring partner


































































































   11   12   13   14   15