Inefficient responses to cybersecurity claims necessitate regulation

Cybersecurity issues including: liability for losses and cost of coverage for small businessesraise questions about whether cybersecurity insurance should be linked to or regulated by public policy.

Daniel Woods, a lecturer in cybersecurity at the University of Edinburgh and author of the May Lawfare research paper “Civil Liability and Software Insurance,” thinks it is unlikely that policymakers will address the issue of cybersecurity insurance subrogation, but says they should start considering the liability of security software manufacturers.

“If there is no subrogation, it potentially could lead to a situation where the insurer simply takes on the consequences, the liability, and then the vendor has no incentive to improve their security,” Woods said.

In addition, cybersecurity software vendors have clauses in their contracts that state that users waive subrogation of claims through their insurer. “That’s a big barrier to subrogation, and it basically has to do with the market power that the big, powerful technology vendors and the relatively small SMEs are negotiating with, and they just don’t have the market power to negotiate terms that are going to help them,” Woods said.

Midsize companies have widely adopted cybersecurity insurance, the firm said questionnaire a study of 5,000 IT leaders commissioned by Sophos, a provider of cybersecurity services, conducted by British research company Vanson Bourne.

But insurers could do more to assert their subrogation rights, according to Jillian Raines, a partner at the law firm Cohen Ziffer Frenchman & McKenna.

Jillian Raines of Cohen Ziffer Frenchman & McKenna
Jillian Raines, Partner, Cohen Ziffer Frenchman & McKenna

Gittings Photography

“Insurers don’t put in the expense and work to pay a claim and then don’t exercise their subrogation rights,” she said. “Instead, after the fact, they challenge the commercial structure of how the insured has been working with its suppliers, or they try to use the insured’s strong or weak indemnity rights and the timing of when they exercise those indemnity rights against the insured as a failure to cooperate with respect to coverage. They don’t do what they should, which is not paying covered claims and then not exercising their subrogation rights.”

While insurance providers prohibit users from seeking subrogation, insurers, on the other hand, have dispute-resolution clauses that require confidential arbitration, which can be disadvantageous to the insured, according to Raines. Still, the language in those clauses “is not watertight and has not been tested,” she said.

In addition, policyholders and insurers with long-term relationships can work more closely together on the terms of cybersecurity insurance, she noted. “Issuing an insurance policy is, in a sense, a commercial transaction, even though the insured rarely has the opportunity to draft any terms,” Raines said. The length of the claim investigation and the information the insured must provide are aspects that “seem really practical,” she said. “Reasonable minds should be able to work together and within a set of parameters. Everyone should be on the same page and be able to come to a resolution.”

The U.S. Office of the Chief Cybersecurity Officer has solicited proposals from academics to regulate liability for cybersecurity-related software and has issued cybersecurity strategy in March 2023, Raines suggests that a law similar to the Terrorism Risk Insurance Act, which addressed terrorism-related insurance claims and was introduced in 2002, is needed.

“This needs to be created to provide consistency and potential federal support in the event that massive cybersecurity breaches occur or continue to occur,” she said.