I wouldn’t be surprised if there are as many news stories related to the Panama Papers leak as there are actual number of papers leaked – around 11 million. Perhaps an exaggeration but the impact has been tremendous, no doubt aided by social media.
The intention of this article is not to discuss the speed of the news cycle or even current concerns over privacy. I am more interested in whether cyber products could be used to cover this type of breach.
The Panama Papers event can be summed up as a leak of third-party data, under the custody of a law firm and presumably with the involvement of an employee.
Third-party loss policies such as errors and omissions (E&O) insurance and the main cover of cyber are meant to indemnify the loss suffered by other individuals or organizations (different from the insured). Additionally to trigger the policy, there has to be negligent act, error or omission at the insured’s end.
The sticking point of the Panama Papers is whether the law firm was negligent and therefore bears the responsibility of the leak. If so, what does “negligent” mean in this scenario? Who establishes the parameters of diligence and certifies best practices when it comes to data protection? Is there a standard they could have followed?
Usually found in these policies is a crisis or reputation endorsement. When a third-party data breach occurs, one of the company’s greatest assets—its reputation and brand—is at risk. It is integral that a company has a crisis management strategy and communications protocols in place to minimize and contained the damage as part of their risk management strategy.
They should take care that they have taken all measures available to protect their clients’ information. In a nutshell, they must ensure that they have been diligent in protecting the data entrusted to them.
But could a declaration of a breach waive the cover? Could re/insurers use it to reject future payments under a liabilities based policy? It is important to carefully review statements and discuss with insurers to avoid situations where the insured will end up missing cover trying to contain the risks.
What about cyber cover?
Most cyber products in Latin American markets include a negligent element in their covers, so the same rules explained above will apply.
Could the loss of documents endorsement apply? Unfortunately I don’t think so, as the data has not actually been lost as defined by the policy. It is still there residing in your servers… and also in someone else’s servers.
So what should you be doing?
- Talk to your broker and ensure your re/insurers have clearly identified the loss scenarios where they will grant cover.
- Make sure your reputation or crisis extensions act independently of the main covers so any communications do not work against you in the future.
- Check the loss of documents definition and see what is considered to be a loss.
Finally, we have seen a large number of cyber events that will test the policies and raise the awareness of potential buyers. It is up to carriers to envisage an objective cyber cover that could leave the negligent trigger behind under certain cases and consider whether they really want to cover the unexpected.
Click here to learn more about comprehensive cybersecurity from Willis Towers Watson.