Cybersecurity insurance subrogation issues raise regulation questions

Closeup of computer screen displaying ransomware attack notice with skull and crossbones
arrow - stock.adobe.com

Cybersecurity coverage issues including responsibility for losses and the cost of coverage for small businesses, are raising questions as to whether cybersecurity insurance should be related to or governed by public policy.

Daniel Woods, a cyber security lecturer at the University of Edinburgh and author of Lawfare's May research paper "Software Liability and Insurance," thinks it's unlikely that policymakers will step in on cybersecurity insurance subrogation, but says they should start considering security software makers' liability. 

"If there is no subrogation, potentially it could result in a situation where the insurer just absorbs the consequences, the liability, and then the vendor doesn't face any incentives to improve their security," Woods said.

Also, cybersecurity software vendors have clauses in their contracts stating that users forgo subrogation of claims by their insurer. "That's a big barrier to subrogation, and it's essentially to do with market power that you have big, powerful technology vendors and relatively small SMEs negotiating with them, and they just don't have the market power to negotiate for terms that help them," Woods said.

Middle-market size companies have widely adopted cybersecurity insurance, according to a survey of 5,000 IT leaders commissioned by Sophos, a cybersecurity services provider, and conducted by U.K.-based market research firm Vanson Bourne. 

Still, insurers could still do more to pursue subrogation rights, according to Jillian Raines, a partner in the Cohen Ziffer Frenchman & McKenna law firm. 

Jillian Raines of the Cohen Ziffer Frenchman & McKenna law firm
Jillian Raines, partner, Cohen Ziffer Frenchman & McKenna
Gittings Photography

"The insurers are not putting in the cost and work to pay a claim and then exercise their subrogation rights," she said. "Instead, after the fact, they're challenging the commercial structure of how the policyholder worked with its vendors, or trying to use policyholders strong or weak indemnification rights, and the timing of them exercising those indemnification rights, against the policyholder as a failure to cooperate with respect to the coverage. They're not doing what they should, which is to pay covered claims and then exercise subrogation rights."

While security vendors prohibit users from pursuing subrogation, insurers in turn have dispute resolution clauses requiring confidential arbitration, which can be a disadvantage for a policyholder, according to Raines. Still, the language of these clauses is "not airtight, and is untested," she said. 

In addition, policyholders and carriers with longer-term relationships can work more closely together on cybersecurity coverage terms, she observed. "The issuance of an insurance policy in some respects is a commercial deal, even though the policyholder rarely gets to draft any terms," Raines said. The timing of a claims investigation and the information the policyholder must submit are aspects that "seem really practical," she said. "Reasonable minds should be able to work together and within the parameter set. Everybody should be on the same page and be able to get to a resolution."

The U.S. Office of the National Cyber Director has sought proposals from academia for cybersecurity software liability regulation, and issued a cybersecurity strategy in March 2023. Raines suggests a law is needed, similar to the Terrorism Risk Insurance Act concerning insurance claims involving terrorism, instituted in 2002. 

"That should be created so there is consistency and potential federal backstop in the event that there is, or continues to be, some massive cyber breach event," she said.

For reprint and licensing requests for this article, click here.
Cyber security Cyber attacks Law and regulation Small business
MORE FROM DIGITAL INSURANCE