Cybersecurity coverage issues including responsibility for losses and the cost of coverage for small businesses, are raising questions as to whether cybersecurity insurance should be related to or governed by public policy.
Daniel Woods, a cyber security lecturer at the University of Edinburgh and author ofLawfare’s May research paper “Software Liability and Insurance,” thinks it’s unlikely that policymakers will step in on cybersecurity insurance subrogation, but says they should start
considering security software makers’ liability.
“If there is no subrogation, potentially it could result in a situation where the insurer just absorbs the consequences, the liability, and then the vendor doesn’t face any incentives to improve their security,” Woods said.
…
Still, insurers could still do more to pursue subrogation rights, according to Jillian Raines, a partner in the Cohen Ziffer Frenchman & McKenna law firm.
“The insurers are not putting in the cost and work to pay a claim and then exercise their subrogation rights,” she said. “Instead, after the fact, they’re challenging the commercial structure of how the policyholder worked with its vendors, or trying to use policyholders strong or weak indemnification rights, and the timing of them exercising those indemnification rights, against the policyholder as a failure to cooperate with respect to the coverage. They’re not doing what they should, which is to pay covered claims and then exercise subrogation rights.”
While security vendors prohibit users from pursuing subrogation, insurers in turn have dispute resolution clauses requiring confidential arbitration, which can be a disadvantage for a policyholder, according to Raines. Still, the language of these clauses is “not airtight, and is untested,” she said.
Click here to read the full article.