The collapse of Silicon Valley Bank (SVB) has dominated the news and left the market reeling in its wake. As businesses continue to respond to the second-largest bank collapse in U.S. history, we have highlighted risks that businesses may face. Specifically, we expect an uptick in, among other things, cybercriminal activity and the commencement of increased regulatory and enforcement actions.
Business should keep in mind that Cyber and D&O insurance policies are designed, in many cases, to respond to these types of risks. As regulators and market participants simultaneously react to this crisis, policyholders can take several concrete steps to ensure that valuable insurance coverage is not lost:
- Policyholders should proactively review their insurance profiles to identify potential claims or actual claims. In the event of potential claims, companies may be able to provide their insurers with a “notice of circumstances” to lock in coverage under a current policy in the event a claim is formally asserted in the future. And for actual claims, companies should promptly notify every potentially responsible insurer. A delay or failure to provide notice can result in the limitation and, in some cases, elimination of insurance proceeds that would otherwise be available.
- Policyholders should familiarize themselves with the insuring language in their policies to understand the scope of coverage. Coverage under a D&O policy, for example, is not limited to shareholder actions against a company and its directors and officers. Rather, D&O policies typically tie coverage to the receipt of a “claim”– often defined as any written demand for monetary or non-monetary relief. Some D&O policies include investigations (formal or informal), subpoenas, and civil investigative demands within that definition. Businesses should not assume that there is no need to involve their insurers until a lawsuit or formal proceeding has been filed.
- While traditional crime insurers often resist acknowledging coverage for cybercrime and electronic fraud under crime policies, cyber insurance may more readily respond to these losses. Therefore, companies should consider requesting cybercrime coverage be included on their cyber policies. However, businesses should also ensure they have procedures to ensure that social engineering coverage is not lost. Some insurers have inserted language into their policies requiring an employee to “independently verify” a fraudulent instruction before the policy will respond– effectively rendering this coverage illusory.
- Don’t Take No for an Answer. Loss events with far-reaching consequences and global ramifications are fertile ground for baseless denials. Insurers are not keen on paying claims for emerging risks, particularly where the quantum is yet unknown. Policyholders submitting claims for coverage as cybercriminals and regulators react to the SVB collapse should expect bullish positions from insurers while the downstream effects remain uncertain.
Clients with questions on these or related issues should reach out to the authors of this alert or their Lowenstein contact.
To see our prior alerts and other material related to the collapse of Silicon Valley Bank, please visit our resource page by clicking here.