The American Bar Association
Arbitrating Cyber Coverage Disputes
March 13, 2019
By Peter A. Halprin and Daniel Garrie
Policyholders buying insurance are generally focused on obtaining sufficient coverage in dollar terms for the insurance risks that they face. They assume that they will receive the protection for which they have presumably paid handsome premiums. Many policyholders and their brokers therefore fail to consider the consequences of being compelled to arbitrate or forgo the bargaining power to negotiate the terms of the arbitration if and when a dispute arises. Policyholders and brokers, however, should bear in mind that arbitration clauses can and should be the subject of negotiation. As written, these clauses generally tilt the playing field toward the insurance company. As reshaped by negotiation, however, arbitration can be beneficial to policyholders as well as to insurance companies.
Arbitration tends to work best when both parties buy into the process from the beginning. It tends to work worst when one party feels that arbitration was imposed on it. In the commercial insurance context, arbitration is generally imposed, even on sophisticated commercial policyholders. This comes about through mandatory arbitration clauses in form policies that are typically nonnegotiable, including domestic, excess, and surplus lines, London and Bermuda policies. If possible, however, a policyholder should try to negotiate an arbitration clause, perhaps by way of endorsement, that provides acceptable terms in the event of a dispute.
There are circumstances in which policyholders may actually want to be part of a confidential arbitration, particularly when the dispute involves sensitive issues, business processes, or trade secrets. Under such circumstances, a policyholder may not want further publicity about the issues and may prefer to keep documents and testimony confidential. For example, in cases involving cyber breaches, insurance companies and policyholders may benefit from the confidentiality arbitration provides. Cyber breaches typically involve sensitive customer information, issues pertaining to intellectual property, and the intangible cost to insurance companies or a policyholder’s public image. Also sensitive are disputes involving discussion of a policyholder’s cybersecurity measures and cyber defenses. If this issue is being adjudicated, the company may not want its strategy and network architecture to become part of the public record.
To read the full article, go to The American Bar Association