AXA Cybersecurity Insurance Policy

Contract Teardown

Cybersecurity insurance should get your company back to work after a hack. That’s become much more complicated as hacks grow in frequency and impact.

Historically, insurers protected against cyber risk in narrow, hard-to-get, and expensive ways. With few significant breaches, the limits made sense. But now breaches—and the policies that compensate for them—are common.

So what should you know about these cybersecurity insurance policies? What should they include? How do you advise clients about their assumption of risks and smart costs? In this issue of the Contract Teardown, attorney Eric Drattel walks us through the most important red flags and wise counsel around the burgeoning field of cybersecurity insurance policies.

"It's very difficult to model cyber risk. I think it's important that you choose a reputable, well-regarded insurer." Eric Drattell

Questions In This Episode

  1. What should you look out for in the third-party coverage section of the policy agreement?
  2. Should you allow your first party coverage to be sub-limited?
  3. What makes first-party coverage really important?
  4. Why should you pay close attention to the damages section of the policy agreement?
  5. What damages are not included in the policy agreement?

K-Notes Download Now AXA Cybersecurity Insurance Policy

AXA Cybersecurity Insurance Agreement

This agreement covers a business’ liability for an online data breach involving sensitive customer information. Sensitive information includes things like social security numbers, credit card numbers, account numbers, driver’s license numbers, health records, etc.

In addition to covering financial losses, this agreement governs compensation claims and tools to avoid reputational damage. The policy doesn’t just cover criminal activities like hacking or distributed denial of service attacks; it also covers careless employees or service providers’ mistakes.

AXA’s Cybersecurity Insurance Agreement is a good example because AXA is a large company in the US and the contract is so comprehensive. It’s not a typical agreement, but it is one that could become more common as cybersecurity policies continue to grow.

Third-party Coverage: Fines and Penalties

Third-party coverage protects you if someone outside the agreement sues you for failing to implement privacy or security regulations, or if you fail to prevent a breach. It’s important to look at the terms of protection for coverage details.

These policies are a moving target because the area is so fast-moving. As incidents hit the news, underwriters amend policies to cover innovative hacks. If you have a cyber breach leading to the loss of personally identifiable information, violation of regulation, or violation of a data breach reporting requirement, you’ll need to keep on top of both the news and the policy.


A. Third Party Liability Coverages
The Insurer will pay on behalf of an Insured claim expenses and damages in excess of the applicable retention that the insured is legally obligated to pay as the result of a claim first made against the Insured during the policy period or Extended Reporting Period (if applicable) alleging a:

1. Technology Products and Services

technology wrongful act;

2. Professional Services

professional services wrongful act;

3. Media

media wrongful act;

4. Privacy and Cyber Security

privacy and security wrongful act,

committed by the Insured, a rogue employee, an outsourced provider, or by a third party for whose third party wrongful act an Insured is legally responsible.

In this case, AXA’s coverage for breaches leading to violation of regulations is new. Cyber risk policies have historically excluded situations where there might be a fine or penalty from a government agency. But the frequency of these outcomes has shifted assumptions. Covering these fines and penalties, as well as provision for regulatory damages, are impressive features of AXA’s policy. Something to consider when drafting your own.

Sub-Limited First Party Coverage

This section relates to your company’s losses after a breach. While the coverage in this policy looks nice on the surface, you’ll need to check the declarations page to know if first-party coverages are sub-limited—you won’t see it in this section’s language.

First-party coverage can include things like the cost of bringing in a forensic investigator, engaging a law firm to represent you, bringing in a PR firm to interface with the public, or even setting up a call center to help people whose information might have been breached. Its purpose is to cover the loss of business income that you would have made if the breach hadn’t happened.

Cyber extortion threats can also be included here. Again, keep on top of current events to know which threats are en vogue and which are worth negotiating over.

It's so important to check your declarations page, to see if your first party coverages are, in fact, sub-limited. Eric Drattell

When reviewing the declarations page, keep the payout caps in mind. If your first-party coverage is sub-limited, the actual payout to cover foreseeable costs may not be enough.

Negotiate for or draft a policy that does not have sub-limited first party coverage if possible. Or, come up with terms that make the limit on coverage reasonable. Don’t assume that all of these costs will be covered or you could be looking at going bankrupt in the event of a breach.

Data breaches happen. Taking precautions to minimize risks and costs can save you a lot when they do. While first party coverage is often excluded from cyber policies, many recent breaches in the media have required first party costs.

Keeping Up with Potential Risks

To repeat ourselves, advising well on these policies requires staying abreast of recent attacks. So where do you find that information?

According to Eric, you can read industry press for stories in your market. But only the highest profile messes will reach the media. Rather than rely on trade press, Eric suggests that you seek opportunities for education. Insurance companies and local bar associations will publish webinars and trainings on recent threats. You can also look at the Verizon Report and the Panama Institute Report for an overview.

Whatever resources you use, know that you’ll have to design your own education plan. Cobble together learning opportunities from places that might be new to you. Because these issues cross industry lines, pay attention to resources that you wouldn’t normally engage with.

You want to understand what the risks are, who's doing what to whom, and measure whether you have that exposure. Whether your vendors have that exposure. Eric Drattell

Controlling the Settlement Process

When evaluating remedies for possible cyber breaches, you need to know exactly how things will play out. Do you have the right to decide who your counsel or forensic consultants are? Or will you be forced to go with a panel made available by your insurer? This is a big subject of negotiations.

C. Data Breach Response and Crisis Management Coverage
The Insurer will pay or reimburse the Insured for data breach response and crisis management costs in excess of the applicable retention that the Insured incurs for a continuous eighteen (18) month period resulting from a data breach or cyber security breach. The payment period begins when the data breach or cyber security breach is reported to the Insurer in accordance with Section VI. Notice.


Some law firms and forensic firms are willing to charge the insurer a much lower rate because the insurer is not defending the claim. You might miss out on the top-tier law firms with the best expertise. The same goes for consulting firms. If you don’t want to pick someone on the insurer’s panel, ask if the insurer will still pay up to the maximum panel rate. Negotiating for the right to choose will help smooth the process in the event of eventual breach. These details can be found on the declarations page.

“Damages Do Not Include” List

Your process for drafting or negotiating a good policy should include a meticulous review of the “damages do not include” list. While the policy agreement includes an abbreviated list of excluded coverages, the damages section will list everything in its entirety.


K. Damages
Compensatory damages resulting from a judgment, award or settlement agreement, including pre-judgment and post-judgment interest, which the Insured becomes legally obligated to pay as a result of a claim, and punitive, exemplary damages, and multiple damages, if the insuring of such damages is permitted under the laws and public policy of the jurisdiction under which this Policy is construed, which the Insured becomes legally obligated to pay as a result of a claim. Enforceability of punitive, exemplary damages and multiple damages will be governed by the applicable law that most favors affirmative coverage for such damages.

Damages do not include:

  1. The return of any fees paid to an Insured or the offset of any future fees to be charged by or owed to an Insured;
  2. Lost investment income;
  3. Costs incurred by an Insured to withdraw or recall technology products, including products that incorporate an Insured’s technology products, technology services, or professional services;
  4. Costs incurred by an Insured to correct, re-perform or complete any technology services or professional services;

If you’re keeping up with market trends and recent breaches, you‘ll recognize risky do-not-include list items. While some risks are almost impossible for an insurer to model, known risks coming out of recent events can be priced. Engage purposefully (and with newspapers in hand) with the insurer to make sure this list is what both parties are willing to uphold.


AXA’s Cybersecurity Insurance Policy is very comprehensive. Remember, the most critical job is to know the declarations page inside and out. This will give you a clearer understanding of what’s included and what’s not. When a breach does occur, you will be much better off knowing exactly what is covered, how the process will play out, what kind of control you have over the situation, and how fast you can respond.

K-Notes Cybersecurity Insurance Policy from AXA Download Now

Show Notes

THE CONTRACT: AXA’s Cybersecurity Insurance Policy Agreement

THE GUEST: Eric Drattell leads the Legal and Compliance teams for B2B2C cloud-based FinTech company, Roostify. As General Counsel, he manages the company’s legal matters.

THE HOST: Mike Whelan is the author of Lawyer Forward: Finding Your Place in the Future of Law and host of the Lawyer Forward community. Learn more about his work for attorneys at

If you are interested in being a guest on Contract Teardown, please email us at


Eric Drattel [00:00:00] I do think you want to go to a reputable writer. There are lots of companies that get into the cyber risk insurance and may not maintain the adequate reserves to pay claims. They may not. It’s very difficult to model cyber risk. And so a company like AXA will be there if there’s a significant breach. So I think it’s important that that you choose a reputable, well regarded insurer.

Intro Voice [00:00:27] Welcome to the Contract Teardown show from Law Insider, where legal experts tear down contracts from some of the most well-known companies and high profile executives around the world.

Mike Whelan [00:00:40] In this episode, Eric Drattel, general counsel at Roostify, pares down AXA’s Cyber Security Insurance Policy Agreement. Although these insurance policies can and should be highly negotiated and customized, Eric walks through principles and red flags every lawyer should pay attention to. With major breaches in the news recently, lawyers should definitely know enough about these policies to advise. Well, so let’s tear it down. Hey everybody. Welcome back to the contract tear down show. On this show we do exactly what it sounds like. We hang out with smart friends like my buddy Eric here, and we break up contracts. We make fun of them, we pick on them. We even occasionally say what we love. Eric, thanks for joining us. How are you today?

Eric Drattel [00:01:26] I’m well, Mike, thank you. How are you?

Mike Whelan [00:01:29] I am. I am OK. Last time when we hung out, Eric is a two timer. He previously reviewed the indemnification clause in a Microsoft agreement. I would encourage you guys to go back and watch that. But at the time when he asked me that, I said it’s still twenty twenty. I know it’s technically twenty twenty one now, but it doesn’t really feel that way. So I’m going to say again, it’s still twenty twenty. So what the frick what we’re going to do today guys is we’re going to talk about this document. Let me share it with you guys real quick. This is a company called AXA. It’s a French company. And this document is a cybersecurity insurance agreement that we’re going over. And it covers a lot of terms that, you know, we’ve talked about this a lot in the news recently, especially with some law firms. So let me ask you that, Eric. Why why talk about this? What is our our focus on this document when her lawyer is going to run into it? Why does it matter?

Eric Drattel [00:02:24] OK, so nearly every business of of any kind has some sort of cyber risk coverage. And for a long time, cyber risk coverage was very narrow, hard to get, very expensive. But now you you hear ads for cyber risk coverage on the news at night. And then so lots of people are getting it. Lots of people are interested in it, but really don’t know what it includes and what it doesn’t include. And with what happened with solar winds, Orion product over the last month or so, the the need for cyber risk insurance is really greater than ever. And certainly people’s attention to that that need is is greater than ever.

Mike Whelan [00:03:06] Right. And that solar winds thing was a huge blow up. And I had read previously of even law firms. So even if you’re watching this and you’re not, you know, writing a document like this, you’re going to have to review documents like this even if you are inside a big firm. You know, a lot of these firms are having to make these decisions. And sometimes even small firms, which is a whole other issue about what we’re going to do is dig into the particular sections, go. So I want to scroll down real quick, Eric, to the beginning. Sure. Insuring agreements where in a third party liability coverages the insurer will pay on behalf of an insured claim, expenses and damages in excess of the applicable retention. We’re going to talk about the retention. But but tell me about this section. What are we looking at? It’s framing the thing. Do you like the language in here?

Eric Drattel [00:03:53] So so let’s talk about something that’s really important before we dive into the language in particular. The insurance policy is I wouldn’t quite say it’s fairly typical. And the reason why we’re using the AXA policy is AXA is the number two cyber risk insurance right here in the United States. So they are a big player, even though they’re French based. There are huge player in the US and they have a very comprehensive contract that covers lots of things. But the most important question you have to ask is what’s in my declarations? So the policy covers lots of things. It says we do this, we do that, bla, bla, bla. But you have to go to the declarations page at the end. And that’s not part of this policy because the declarations page is very individualized to the insurer and see what’s in fact included and what’s not. So third party that’s that’s really typical third party is other people who are suing you basically. So if if you are if you have a cyber breach and you lose personally identifiable information. As a violation of law regulation, there’s a violation of a data breach reporting requirement. You haven’t implemented your privacy or security regulations or if you fail to just simply prevent the breach, that’s all part of third party coverage when somebody sues you. So this is the cover that protects you in case you’re sued by a third party.

Mike Whelan [00:05:25] Hey, everybody, I’m Mike Whalen, I hope you’re enjoying this episode of the Contract Teardown show. Real quick, I want to ask you to do me/you really a quick favor. Look down below. You’ll see a discount code to join the law insider premium subscription. When you do that, you get access to more content like this. You’ll see webinars, daily tips on contract drafting, not to mention access to the world’s largest database of sample contracts and clauses. It will help you write better contracts faster if you want to do it. Right now, there’s a code below. So get there. Also, if you’re part of a larger team, if you’re in-house or in a law firm, just email us where it’s will make sure you get a deal as well. Come join us in the community. The code is below. Let’s get back to the show. And does this I mean, we’re getting into the language in this particular bit, so it’s talking about if there was any technology products or services, professional services, media, privacy or cybersecurity. So. So these are people, if I’m understanding correctly, if I’m if I own a law firm, for example, the client information that that data gets out. And I’m sure we’re going to talk about what’s included and what’s not in terms of damages to those people, as opposed to just covering litigation expenses and those kinds of things. On five, you know, it gets down to privacy, regulatory defense awards and fines. Talk to me about this section. What’s best practices in this kind of section? What should we look out for?

Eric Drattel [00:06:52] So this is a fairly new development because historically cyber risk insurance policies had excluded where there might be a fine or penalty brought by a government agency. So this is pretty this is pretty impressive that this is covering the fines and penalties and also covers something called regulatory damages, which are which is the consumer redress. So if you think about you have a privacy breach and let’s say you’re in California, where we have the California Consumer Privacy Act, where there’s a right to recover. Even though you can’t prove you are actually damaged, that would all be covered by this part of the policy, which is which is giving you relief from any claims by third parties.

Mike Whelan [00:07:41] So we’ve got if I’m understanding correctly, we’ve we’ve covered in the very beginning in terms of what we’re defining the scope of this thing. We’ve got maybe your clients are mad at you. We’ve got maybe governments mad at you, but then I as well as the law firm in this case, in the example that I gave, I’ve got expenses. Right. So let’s talk about that to be the first party coverage’s. What am I looking for in here?

Eric Drattel [00:08:04] OK, so first party conferences are the losses you suffer as a result yourself of the breach. And for a long time, first party coverages were oftentimes excluded from cyber risk policies or what’s called sub limited. So let’s just say hypothetically, you had ten million dollars of cyber breach coverage, but you might have your first party coverage is sublimity to say a million dollars. And that’s part of the reason why it’s so important to check your declarations page, your dec page to see if your first party coverages are, in fact, sub limited. Why is this so important? It’s it’s a simple question, but with a somewhat more complicated answer, because in reality, the if you think back on the significant cyber breaches that we’ve had, it’s been almost all first party coverage. Just think about, say, Target or Michael’s. So first party coverage would cover things like your you have to bring in a forensic investigator to figure out what happened. You have to bring in a law firm to represent you. You have to bring in a PR firm to communicate with the public. You have to potentially set up a call center to handle calls from from people whose information might have been breached. If their credit cards involved. You might have to. There’s costs associated with replacing credit cards. So there are a lot of first party costs. And if you look at Target, look at Michael’s, people like that, almost all of the damage they suffered were first party. So what were you looking for? Here is is pretty in-depth coverage. So here for this first party coverage is a pretty broad loss of business income. That’s unusual. So that’s your net profit that you would have made. But for the breach, the extra expenses, the things that you do to avoid the loss of your income. This also covers cyber extortion threat in three at the bottom, which is, again, pretty new. And probably of all the things companies and law firms might encounter, this might be the one thing that they get with somebody makes a cyber extortion threat. They they. Plant something on one of your servers that locks up your server and they say if you don’t pay me X dollars, we’re going to destroy that data. So that’s that’s actually covered by this. If if the ransomware payment is authorized by the insurer, that’s likewise covered. And also, any cost of an investigation or how to respond to to that kind of cyber extortion that’s also covered. That’s that’s relatively new, pretty comprehensive and something that you should really care about. So, again, when you’re looking at your declarations page to see what your coverages are, you need to make sure ideally that there’s no sub limit at all on first party coverages and a first party coverages are sub limited at all. It’s it’s a really high supplement. So if you get your coverage for 10 million, then maybe your sub limit is eight. But ideally, you don’t want any sub limited first party.

Mike Whelan [00:11:15] Yeah. And, um, let me ask you, like a child, when we talk about sub limiting, I say, like a child’s not going to know what a deductible is either. But when we say sub limited, are we talking about like a deductible in an insurance policy that a normal person might be dealing with? This is like they’re not going to pay this chunk, is that right?

Eric Drattel [00:11:35] That’s a good question. So a deductible is what you’re responsible to pay off the top. You have car insurance, which almost everybody does. You if you have an accident and your deductible is five hundred dollars, then for the first five hundred dollars comes out of your pocket and then the insurer pays the rest. Same thing in cyber risk. There’s what’s called retention or or or deductible. And that’s what you pay out of your pocket and you will reduce your premium by the more that you agreed to to a higher deductible. Sublimating is saying that, again, if there’s 10 million in total coverage and the policy may say, but we’re only paying five million for first party, that’s that that’s the sub limit. So that doesn’t have anything necessarily to do with the deductible, although there could be a separate deductible applicable to first party. So you need to go and check for that as well. And you wouldn’t see that in the language here again. It would be in the dec page.

Mike Whelan [00:12:39] Yeah. And those are just it sounds like the number limits that you just have to know to pay attention to to be able to. And I was curious, just as an aside, it seems like you mentioned the cyber extortion. Presumably something happened out in the world right where somebody’s cyber extorted somebody else and then customers made demands to AXA: “Look, this is a thing that could happen.” It sounds like if I’m a lawyer who’s trying to pay attention to whether this is a good deal or not, I have to have a pretty strong awareness of what the possible threats are like. If I’ve never looked at one of these things before, I might not know. To look out for a cyber extortion clause in here is what’s a good way for a lawyer to sort of pay attention to what the potential risks are?

Eric Drattel [00:13:21] You know, that’s a very good question. I think, honestly, it’s just it’s reading the trade papers, seeing what’s out there, what what the trends in the market are. So ransomware, cyber extortion is very common, phishing very common. And if you were in any company of any size, then you’re going to see you’ll get those phishing emails. It’s an email that looks like it’s coming from the CEO and it says, I need ten thousand dollars wired to this account immediately so we can close this deal. And and it looks like it’s come from the CEO. It’s got his name on it or her name on it. But as it turns out, it might be from if you hover over the link, you might say, see, it’s somebody entirely different. But unfortunately, a lot of companies don’t do that and they wind up wiring that ten thousand dollars and then say to the CEO later, hey, did you get it? And he goes, Get what? And then, you know, you’ve been you’ve been ripped off.

Mike Whelan [00:14:26] So I’m remembering when I think it was Equifax that went all sideways. And you know, to your point earlier about the having to deal with the expenses of that, I think I remember they had like their own app, you know, developed that you had to go it because the the breach was just so big and they had to. So I’m looking down at see the data breach response and crisis management coverage. There’s a lot of details in here about what you’re going to have to do to clean it up. Talk to me about this section. What should I look out for?

Eric Drattel [00:14:54] This is this is a huge section. This is incredibly important because the data breach response and crisis management coverage is is really what this is all about. This is kind of take you all the first party costs. And looking together, as I said before, it’s the legal fees, the forensic consulting PR breach notification call center, credit monitoring. If you were if you were subject of the Equifax breach, as I was. They provided free credit monitoring service, they had a call center to if you had some questions, there are all sorts of costs associated with this, and this is what the insurer is standing behind. It’s it’s the costs of providing this. And the reality is to the point you made a moment ago, that. It’s this is this kind of coverage is really a response to both market demand and also what insurers see as an opportunity to write business, insurers want to grow and they grow by writing more business. And they take a risk, of course, that that. The premiums will exceed what they have to pay out. And so that’s why you see over time. Changes in what insurers will agree to because they’ll see where their losses are coming and what not, and when I first got involved in cyber risk insurance probably 10 years ago, the nobody had any data on anything. And so there was very much feeling around in the dark of what what should I cover, what shouldn’t I cover, what should I limit and so forth. And now as insurers are getting more information, they’re able to write smarter policies that provide the coverage that insurers need. And I would also encourage people. Part of the reason why I’m talking about the AXA policy is I do think you want to go to a reputable writer. There are lots of companies that get into this type of risk insurance and may not maintain the adequate reserves to pay claims. They may not. It’s very difficult to model cyber risk. And so a company like AXA will be there if there’s a significant breach. So I think it’s important that that you choose a reputable, well regarded insurer.

Mike Whelan [00:17:13] Yeah, you see general counsel at AXA, we’re tearing down your contract, but we’re also being nice, you see. So, you know, any time you’re dealing with multiple parties that are involved, which obviously an insurance agreement, that’s just by nature the way it’s going to go, there’s this question of when you’re dealing with defense, who’s paying and who’s got control. So I’m going to jump down to to where it talks about defense and settlement. And under a it says the insurer has the right and duty to defend any claim under the insuring agreement. One, a third party liability coverage is made against the insured. And it goes through all these questions about who’s got the control in the settlement and who’s dealing with costs. Talk to me about this section. What should I look out for here?

Eric Drattel [00:17:51] OK, so there are no points to pick apart in this section. First is that both Verizon and an organization called the Panama Institute publish information publicly available about data breaches. And one of the things that they both say is that the what they call a cost per record. How much for if Equifax had a million people whose whose data was taken in a breach, then that would be a million records. So they they compile what the cost per record is for data breach. And one of the things they say is having an insurer, a rather a forensic consultant on board and a law firm on board before the breach happens is really important. And it reduces significantly the cost of a breach. So if you if you figure out that, oh, my God, we’ve had a breach and then you start shopping around for a forensic consultant, you might be losing incredibly valuable time. So what I’ve done in the past as an example is I’ve actually kept a forensic consultant on retainer so I knew I could get a response within 30 minutes as opposed to waiting three days. And that could be the difference between you being in business and being out of business. So what you have to check in your cyber risk insurance policy, though, is whether you have the right to choose counsel of your own or forensic consultant of your own or whether you have to go with the panel. And this is oftentimes a big subject of negotiations because, again, there are lots of law firms in particular and some forensic firms that are willing to charge the insurer because the insurer is not defending the claim. A lot lower rate. And so oftentimes you’re missing out on the top tier law firms with really the best expertize in this area and the same with the consulting firms. So one of the points I often negotiate with the carrier, the insurer is if I if I don’t want to pick somebody on their panel, will they still pay up to the maximum panel rate? So let’s say they were going to pay five hundred dollars an hour for the law firm. And my law firm is charging seven fifty an hour. They’ll pay five hundred. I’ll have to pick up the remaining 250. So this is a really important point. And you want to make sure you understand. Are you stuck with their. Lawyers or can you choose your own if you want to choose your own, you have then you have to negotiate how that gets covered. That, again, will be documented in your declarations page.

Mike Whelan [00:20:33] And just instinctively, I’m thinking about the relative, you know, incentives of each side. You know, the company might be facing an existential threat after a data breach. This might be survival or not. The insurance company is just trying to limit the damage, which may not may not align, right?

Eric Drattel [00:20:55] That’s right. And I’ve looked at panel firms before, and I’ve every so often somebody will have panel firms that are pretty good. And you want to you want to choose them. But it’s worthwhile before you sign up for a cyber policy is understand who’s on their panel for the forensic firm, PR firm, law firm, so forth, and make sure you’re comfortable with them. There are, for example, PR firms that specialize in crisis management and there are other PR firms that are great at issuing press releases. So what I for my money, I would rather have a PR firm that has expertize in crisis management. And so that’s why I encourage you to engage in the dialog with the carrier to make sure before you sign up for the policy, who do I who do I have to choose from? What happens if I want to choose my own.

Mike Whelan [00:21:45] Well, I’m thinking you’ve mentioned the declarations page a few times, and I’m assuming that in that document, there’s going to be a lot about what’s included, what’s covered, what’s not covered. But if I go down to K, there is a section called Damages that especially says, you know, this line that you’ve got me paying attention to, damages do not include. And then they’ve got a pretty hefty list. Tell me about this section on damages and what’s excluded.

Eric Drattel [00:22:09] So this so this is the one part of the policy that is actually really important because it will it tells you very specifically. Nor the declarations paid for a second. We’re not covering any of this stuff, right. And oftentimes what they say they’re not covering is isn’t that covered by other policies. So you can’t get recovery under, say, your policy and your cyber policy for the same loss or other things. They just say that this is just a risk we don’t want to insure. Or equally importantly, it’s a risk that’s so difficult to model that we can’t come up with a realistic price for it. So I think if you looked at the damages do not include section of a cyber policy. Five years ago, 10 years ago, it was a lot longer list than what we have here. This is a this is a much shorter list because, again, as insurers can model the risk, they can come up with an appropriate premium for it. So it cost to to withdraw recall of a technology product. If you sold a phone, for example, your phone retailer, manufacturer or other, and there’s a and you have to recall your phones, that would not be covered if you have to, if their professional services that are that have to be done to to correct a problem, get not covered. And there are and some of the things are covered, say, liquidated damages in excess of the insurance liability. Things, and so you just need to take a look at this list and make sure that if there’s something in this list that you want to have coverage for, that you have to engage in that conversation. I’ll give you an example of something that I’ve negotiated. Oftentimes you’ll see involved in this kind of list is we’re not paying any contractual damages. So if you know, you have a contract with somebody or a law firm, you have a client. And if they’re contractual right to contractual damages for a data breach, oftentimes those are not recoverable. Those would be in the damages excluded. And I’ve actually gone back to insurers and said I want to cover. A contract damages, and this is why and I’ve made an argument that some insurers felt was compelling enough to to provide that kind of coverage, even though it’s a contractual loss. And my rationale for it basically is they’re covering tort losses, but not contract losses. But it’s the same dollars. It’s the same then it’s the same thing. Therefore, you should cover the contract losses. If it was to tort loss and depends on the insurer and the premium you’re willing to pay, some insurers are willing to to provide that kind of cover.

Mike Whelan [00:25:06] Yeah, as I get through this, I’m thinking about principles and it’s tough with this kind of document because as you pointed out, it is so situation specific and negotiating around the situation. You had sent me a list of questions. And if we can get tactical and then move over to the principle, you’d sent me a list of questions. And I just want to list a couple of these things off. Does the policy cover losses caused by rogue employees? Because it’s always people, right? Most of the time it’s people, ransomware, vendors, social engineering, phishing, cryptocurrency, mining or DOS attacks. And then another question you ask, does the policy cover typical first party costs, including loss of business, legal fees, forensic investigation expenses, breach notification costs because of credit monitoring calls that are to cause fines and penalties? Like what I’m seeing in this is I hope if you guys run into this, you’ll actually go back and run down that list of things. But what I’m seeing in this is that there’s a long list and that if I’m going to be a good lawyer and a good counselor in this situation, I got to know what should be included on that list. Talk to me about how we can be competent advisers in this area that most lawyers don’t know a ton about to identify these risks.

Eric Drattel [00:26:18] Yeah. Is I mentioned before, it’s kind of keeping abreast of what’s happening in the marketplace. Looking at the Verizon report, looking at the Panama Institute report, there are lots of webinars that do very deep dives into into cyber risk, not necessarily insurance, but causes of cyberspace. So, again, like the first question you ask, does the policy cover losses caused by rogue employees? Well, again, the data shows that rogue employees and rogue employees doesn’t mean somebody necessarily a bad actor. It could be somebody sloppy. They just push the

Mike Whelan [00:26:56] button, right?

Eric Drattel [00:26:58] Yeah. For the very first data breach I was ever involved in was because somebody left a laptop in their car that had the Social Security numbers of thirty five thousand employees. Yeah. And the laptop was stolen, so that and that question is, is that covered, that’s really important because the vast majority of cyber risk claims are the rogue employee. And so you just have to keep abreast of what the trends are in the market for the kinds of things that are happening. The vendors target the target data breach was because of a vendor solar winds. It’s it’s a primarily a vendor issue. I can’t tell you how many of my customers have reached out to me saying, do you use the Orion product by solar winds? That’s an important question to ask. So make sure that you’re not just covering yourself and ignoring. What your vendors are doing, but making sure your vendors have coverage this, so there’s a lot there’s a lot out there. Even cryptocurrency, mining, every so often somebody gets access to your servers and if you’re using cloud based servers. It can happen and people go wild doing cryptocurrency, mining, and if you don’t have an alert, say, on your account, you could be hundreds of thousands of dollars into server related costs and you might not even know it. And it might be all spent on somebody who’s broken it. And all they’re doing is cryptocurrency, mining. They’re not stealing your information, but it’s costing you a fortune. Is that covered? So you want to you want to understand what the risks are, who’s doing what to whom and. Measure, whether you have that exposure, whether your vendors have that exposure and and make sure you have the adequate coverage to cover the things that you’re most concerned about.

Mike Whelan [00:28:55] Yeah, because it’s a pandemic, I’m going back and bingeing burn notice and similar spy shows, you guys should just watch those and take notes. They’re documentaries. You’ll see. It’s always people, right? They always get in through people. They screw up something and find all these numbers. So pay attention to those things. If people want to learn more about, you know, how to pay attention to these kinds of issues, where to go to learn more about some of the risks, what’s the best way for them to get in touch with you?

Eric Drattel [00:29:23] You can reach out to me on LinkedIn as well, and I’d be happy to engage in a conversation with anybody who has any questions about this.

Mike Whelan [00:29:30] Awesome. I appreciate that. And guys, we will have this document as well as other resources available at That’s where the show notes live. So go there. Also, if you want to be a guest on the Contract Teardown show and beat up contracts sometimes nicely like Eric and I did. Thank you very much. Just email us. We’re at We’d be happy to have you. Thank you again, Eric. We’ll see you guys next time, OK?

Eric Drattel [00:29:56] Bye bye.


Eric Drattell
Eric Drattell
General Counsel
Mike Whelan
Mike Whelan
CEO @Lawyer Forward

More Resources from Law Insider

Covid-era Master Services Agreement for Biotech

During ContractsCon 2023, Shavon Smith joined Mike Whelan live to tear down a biotechnology firm’s Master Services Agreement. MSAs are flexible agreements for chaotic times. See how this MSA helped a biotech firm during the Covid shutdown.

How ChatGPT changes the goals of OpenAI’s Terms of Service

Foster Sayers joins the Teardown to critique OpenAI's Terms of Service and how they apply to ChatGPT. Does the company's shift from businesses to consumers change how it drafts contracts? According to Sayers, perhaps it should.