The ins and outs of cyber liability insurance.

• Author: Bentz, Thomas H., Jr.
• Position: LEGAL BRIEF

* Losses from cyber events can be staggering for government contractors. Attacks, often from nation-state-sponsored entities, can cause millions of dollars in losses and be devastating for a business.

For example, in 2014, a high-profile provider of background checks to the Office of Personnel Management experienced theft that allegedly exposed the personal information of about 27,000 government employees.

OPM terminated its contract, resulting in $417 million in lost revenue, and the contractor's parent company was forced to file for bankruptcy protections. This was in addition to the cost to notify the employees of the breach, the costs of the related litigation and the damage to the reputation of the contractor.

Cyber liability insurance may offer a lifeline to government contractors to minimize financial losses in the event of a breach. Unfortunately, such policies are both complicated and rapidly changing. There is no standard policy form, which means that the coverage offered by one insurer can--and often does--differ dramatically from that offered by another insurer.

There is also little agreement between insurers on what should be covered, when the coverage should be triggered or even how basic terms should be defined. These differences make understanding what is and is not covered very difficult. It also makes it nearly impossible--or at least foolish--to purchase this coverage based on price alone.

One of the biggest challenges for government contractors trying to purchase cyber insurance coverage is simply knowing what to ask for from an insurer. There are many areas where government contractors should negotiate changes to their cyber liability insurance policies.

A typical prior acts exclusion excludes coverage for any claim based upon wrongful acts that occurred prior to a certain date--often the inception date of the policy. This can be extremely problematic in the cyber context because hackers may install spyware, viruses and other malware long before a breach is discovered. If the policy considers the intrusion date as the date of the wrongful act, a contractor may end up with no coverage for a breach that is discovered after the policy has incepted. For this reason, contractors should make every effort to avoid prior acts exclusions whenever possible.

Many government contractors are surprised to learn that cyber liability policies generally exclude coverage for portable electronic devices such as laptop computers or cell...