The Importance of Retroactive Dates and Extended Reporting Periods in Effective Cyberliability Insurance Coverage

A recent study reports that the median amount of time between an intrusion into a company's computer network and the discovery of the incident is 229 days. The difficulty and length of time in detecting cyber infiltrations may be critical in the context of cyberliability insurance coverage.

A typical cyberliability insurance policy is written on a claims-made basis, providing coverage only when the discovery of loss or resulting claim occurs during the policy period. Some cyberliability policy forms may, however, require that both the breach event and the discovery of loss (or resulting claim) occur during the policy period. Unfortunately, hackers do not take the terms and conditions of a company's insurance into consideration. So what happens when a breach is discovered three months into the policy period but, unbeknownst at the time, the intrusion actually occurred six months before, or even earlier? If your company's cyberliability insurance policy excludes breach events occurring before the inception of the policy period, the company could find itself without coverage for an otherwise-covered claim or loss.

Retroactive dates and extended reporting periods provide two methods to avoid such a gap in coverage. Retroactive dates extend the policy's coverage back to a date earlier than the actual policy period, with the goal of covering events that already occurred (or are occurring), but had not been discovered at the time the policy was purchased. An extended reporting period lengthens the period of time, beyond the expiration of the policy period, during which a claim or loss can be made against the insured and reported to the insurance company, so long as the event giving rise to the claim occurred before the end of the policy period. Extended reporting periods may be utilized when changing insurance companies to ensure that the cyberliability policies provide continuous, non-interrupted coverage.

These two approaches can be seen using the following hypothetical:

  • Insurance Company A issues Policy 1 with a policy period from January 1 – December 31 of Year 1;
  • Insurance Company B issues Policy 2 with a policy period from January 1 – December 31 of Year 2; and
  • A breach occurs during Year 1 but is not discovered until Year 2

A retroactive date in Policy 2 that extends back in time to include Year 1 will enhance coverage under Policy 2 for a claim or loss resulting from the breach. So long as the breach occurred after the retroactive date, coverage is available under Policy 2 because it is triggered by the resulting claim or discovery of loss that occurs during its policy period (i.e., during Year 2). Purchasing an extended reporting period for Policy 1 will facilitate coverage under that policy for the claim or loss arising under the same scenario. Although the breach is not discovered until Year 2, so long as notice of the breach is provided during the extended reporting period, coverage is available under Policy 1 because the breach event took place during its policy period (i.e., during Year 1).

The willingness to include a retroactive period or offer an extended reporting period may vary among cyberliability insurance carriers. The length of the retroactive period or extended reporting period – and whether an additional premium will be required for either – will need to be negotiated on an individual policy basis. Retroactive dates and extended reporting periods can provide a critical protection under a cyberliability insurance program, given the delays that may exist between a breach and its discovery.

Liability insurance should be a vital component of any company's comprehensive data breach response plan. The time to identify and address potential gaps in coverage is before an adverse cyber event occurs. Thus, when purchasing or renewing coverage, it is important to understand how retroactive dates and extended reporting periods can impact the coverage available for a cyberliability claim. Companies considering cyberliability coverage should therefore seek guidance from experienced coverage counsel to evaluate their coverage.

This article is presented for informational purposes only and is not intended to constitute legal advice.