Why Fraud Matters When Using R&W Insurance: Revising ABRY and EMSI

by Richard French and Alvin L. Reynolds, Jr.

Legal Analysis

Introduction

Representations and warranties insurance (“RWI”) is a common feature of private M&A transactions, aligning the interests of seller and buyer by transferring the risk of a breach of the representations given by the seller in the underlying purchase agreement to an independent, creditworthy insurer. Before “stepping into the shoes of the seller” and issuing a policy to the buyer, the RWI insurer must underwrite several risks, including the seller’s failure to disclose known matters addressed by the representations given in the underlying purchase agreement.

A central pillar of the RWI underwriting process is that parties negotiate at arms’ length, with a seller engaging in a robust disclosure process to ensure known matters are disclosed pursuant to schedules included in the transaction documents. To encourage a thorough “scheduling” process, RWI insurers have historically required sellers to remain liable for a portion of potential losses. A high proportion of transactions are now structured to eliminate the seller’s liability, with such transactions being commonly referred to as “no indemnity” or “public-style” deals.[1] In order to incentivize robust seller disclosure, RWI insurers preserve their right to pursue sellers in the event of seller fraud.

This article explores the rights available to an insurer to mitigate the risk of inadequate disclosure, and those available to a seller to limit the scope of recourse available to a buyer and/or RWI insurer in a transaction.[2]

Representations, Disclosure and Moral Hazard  

The primary purpose of a buyer demanding representations in the underlying agreement is to elicit disclosure from a seller. The information obtained from the disclosure exercise enables a buyer to determine the appropriate purchase price. In this way the representations and disclosure act as a “pre-signing” price adjustment mechanism.[3] The secondary purpose of representations is to act as a “post-signing” price adjustment mechanism, allowing a buyer to recoup any overpayments. When a seller is liable for a breach of the representations, there is a clear incentive to fully disclose known matters, as doing so avoids a post-closing claim against the seller. However, in an RWI-backed deal, the seller has limited or no liability which, prima facie, removes the incentive to disclose; indeed, if an insurer bears the risk of a post-closing claim, the seller is incentivized to limit disclosure in order to achieve a higher upfront price. How do insurers control for this “moral hazard”?

“Moral hazard” is the tendency to increase exposure to risk when the consequences of the risk are borne by a third party (e.g., insurer).[4] As the policyholder, a buyer is a party to the RWI insurance contract, and the RWI insurer can control for the buyer’s moral hazard directly. Matters within its knowledge are carved out of coverage through a “no claims declaration” and corresponding exclusion. The no claims declaration operates as an anti-sandbagging provision, precluding a buyer from making a claim for matters of which it had prior actual knowledge.

Of greater importance to an RWI insurer is mitigating the moral hazard risk of a seller not scheduling known matters. As the seller is not a party to the insurance contract, an insurer has no direct means of controlling seller behavior. The insurer must therefore seek to influence the behavior of the seller indirectly – via the rights of a buyer through the doctrine of subrogation.

Subrogation

The principle of subrogation enables an insurer to attempt to recoup its loss once it has paid the insured under the policy. After payment, the insurer can “step into the shoes” of the insured and proceed against any third party responsible for causing loss.[5] This can be any claim that the insured may have against a third party, including contract, tort or statutory claims. Although an insurance policy will typically contain express subrogation provisions, the rights of subrogation will generally apply even if not stipulated in the policy wording. It is important to understand that an insurer’s right of subrogation derives from the rights of the insured. In the context of RWI, this is the right of a buyer against the seller within the underlying purchase agreement.

Why “fraud” matters

An important mechanism for an RWI insurer to incentivize thorough seller disclosure is to retain the right to recoup from a seller any money paid to the buyer as a result of “fraud.”

As explained below, “fraud” has many interpretations, and it is therefore imperative for a seller to define it appropriately. Undefined or poorly drafted fraud carve-outs in the purchase agreement might expose a seller to unintended claims, e.g., fraud of the management team of which a private equity sponsor had no knowledge. “Fraud carve-out” clauses are frequently included within the “limitation provisions” of the purchase agreement, delineating the instances in which a breaching party will be unable to “shield” itself behind the carefully negotiated limitation (e.g., caps, survival periods).

Two Delaware Court of Chancery cases, ABRY Partners v. F&W Acquisition LLC (“ABRY”) and EMSI Acquisition, Inc. v. Contrarian Funds, LLC. (“EMSI”), demonstrate the importance of carefully drafting limitation provisions and associated fraud carve-outs.[6] While ABRY demonstrates that even a well-crafted limitation provision will not shield a seller from its own intentional fraud with respect to express representations and warranties in a transaction document, EMSI highlights the perils of imprecise drafting in exposing the seller to others’ fraud.

In ABRY, the purchase agreement contained a limitation provision capping the seller’s liability at a defined amount with no fraud carve-out. Citing public policy, the court found that, notwithstanding the limitation cap in the agreement, the seller was unable to shield itself from a claim by the buyer in respect of its own intentional fraud that contradicted the express representations and warranties given by it in the agreement.

EMSI highlights the dangers of “inelegant” drafting and the potential for fraud to be imputed on all sellers as a result. In EMSI, the purchase agreement included a fraud carve-out provision that included “any action or claim based upon fraud.” At the pleading stage, the court ruled that such broad language could be interpreted to permit recovery against all sellers, even if those sellers had no knowledge of the fraud and/or were not responsible for the management of the business. Thus, the defendants’ motion to dismiss was not granted. This position highlights the need for sellers to explicitly limit the fraud carve-out as desired.

As a matter of law, the absence of a clearly defined fraud carve-out could result in an extensive scope of possible recourse against a seller, as “undefined fraud is an ‘elusive and shadowy term,’ which may not be limited to deliberate lying despite that common notion.”[7] More specifically, fraud has many meanings, including “common law fraud” (which includes recklessness), “equitable fraud,” “promissory fraud” and “unfair dealings fraud.”[8] Therefore, the possible interpretations of fraud by courts extend beyond “lies” of a seller.

Notably, ABRY ruled with respect to the express representations and warranties set forth in the purchase agreement that “when a seller lies — public policy will not permit a contractual provision to limit the remedy of the buyer to a capped damage claim.” Consistent with ABRY, RWI insurers are primarily concerned with sellers who knowingly make false representations. Therefore, based on ABRY, practitioners representing sellers should seek to limit the definition of “fraud” to a seller’s actual (not constructive) knowledge of the inaccurate representation expressly given in a purchase agreement, made with intent to induce the other party to rely on the misrepresentation. Defining fraud in such a way avoids future claims by buyers/insurers premised on (i) alleged “reckless” or “equitable fraud”; (ii) alleged fraud based on extra-contractual statements (e.g., statements made in meetings but not enshrined as representations in the contract); or (iii) alleged fraud committed by third parties such as management.

Agreement provisions

As noted above, the subrogation rights of an RWI insurer against a seller derive from those rights of a buyer against the seller. An understanding of an insurer’s subrogation rights therefore requires an examination of a buyer’s rights against the seller. While there are numerous “limitation provisions” in agreements that limit a buyer’s rights against a seller, the principle clauses are the “non-reliance,” “exclusive remedy and “indemnification and limitation” clauses. Additionally, in an RWI deal, a seller will often require that the agreement contains a “subrogation waiver” clause to limit any claims the insurer, through subrogation, may have against the seller.

Examining each provision in turn:

Through a non-reliance clause, a seller disclaims liability for all representations other than those contained in the agreement; that is, a buyer is unable to make a claim for statements made in management presentations, data rooms, Q&A trackers and other deal documents. This limits a buyer’s rights to the four corners of the agreement. Given the wide scope of potential statements that may be made by the various parties on an M&A transaction (management, advisors, consultants), buyers typically accept that there should be no fraud carve-out to the non-reliance clause, regardless of whether RWI is used on the deal.

Through an exclusive remedy clause, a buyer’s claims (contract and tort) against a seller for a breach of the representations are limited solely to: (i) the indemnification clause and RWI policy on seller indemnity deals; or (ii) the RWI policy for “no indemnity” or “public-style” deals. It is common for buyers to insist on a fraud carve-out to the exclusive remedy provision. This is often accepted by sellers, but only if fraud is appropriately defined.

Through an indemnification and limitation clause, a seller will indemnify a buyer for a breach of the representations, subject to predetermined monetary caps and survival periods. On an RWI-backed deal with limited seller indemnity rights, the representations will typically survive for 12-18 months and be capped at 0.5% of the enterprise value. On a “no indemnity” or “public-style” deal, there will be no indemnification provisions in the agreement. It is common for buyers to insist on a fraud carve-out to the limitation provisions, and this is often accepted by sellers but only if fraud is appropriately defined.

Through a subrogation waiver, a buyer: (i) acknowledges the seller has limited or no liability for a breach of the representations given in the agreement; and (ii) covenants that the RWI insurer will waive any subrogation rights against the seller, save in the event of fraud. Certain sellers will desire that this waiver be given without the fraud carve-out, but this is typically unacceptable to RWI insurers.

Considerations for buyers and sellers

First, sellers must insist that “fraud” is appropriately defined so that it is limited to the seller’s intentional misrepresentation of the express representations in the agreement with intent to deceive.

Second, the parties must assess whether it is reasonable for the “non-reliance,” “exclusive remedy,” “indemnification & limitation” and “subrogation waiver” provisions to contain a fraud carve-out, taking into account RWI insurer requirements.

As previously noted, the “non-reliance clause” will typically not contain a fraud carve-out. An RWI insurer will never require a fraud carve-out, given the RWI policy only covers a breach of the representations given within the four corners of the underlying agreement. The insurer will never be liable for extra contractual representations, so it would be unreasonable and unnecessary for an insurer to request a fraud carve-out to the non-reliance clause.

In light of ABRY, there is a strong argument that RWI insurers should not require a fraud carve-out for “exclusive remedy” and “indemnification and limitation” provisions. This is because, as a matter of law, the seller is unable to shield itself from the type of fraud of which RWI insurers are primarily concerned, so an RWI insurer’s subrogation rights will be unhindered for circumstances in which it will pursue subrogation. Certain insurers (particularly if the agreement is governed by Delaware law) can accept this, while others require a fraud carve-out to the “exclusive remedy” and “indemnification and limitation” provisions. For agreements governed by the laws of other jurisdictions, particularly New York where the case law is less certain, there are still reasonable arguments for RWI insurers to accept no fraud carve-out to the “exclusive remedy” and “indemnification and limitation” provisions, but the arguments are less compelling.

With very rare exceptions, RWI insurers require the “subrogation waiver” provision to include a fraud carve-out. However, as emphasized above, a seller should insist this fraud carve-out is limited to “actual fraud” with “intent to deceive.”

Conclusion

Given the increasing prevalence of “no indemnity” deals, RWI insurers’ requirement to maintain subrogation rights in the event of seller fraud has never been more important. However, it is imperative that “fraud” is appropriately defined to preserve the delicate balance between an RWI insurer’s need to ensure robust disclosure and a seller’s need to avoid post-closing disputes. Lawyers representing sellers should seek to limit an RWI insurer’s rights of subrogation against a seller to instances of “fraud” that law and public policy do not permit to be limited by contract. Consistent with the ruling in ABRY, this means that the definition of fraud should be limited to a seller’s actual knowledge of an inaccurate misrepresentation given in an agreement with intent to induce a buyer to rely on such misrepresentation.

[1] Atlantic Global Risk, Atlantic Global Risk: M&A Insurance Market – 2019 Insights 7 (2020)

[2] Special thanks to Glenn D. West, Partner, Weil, Gotshal & Manges LLP, for his wonderful insights and input; and special thanks to Virginia Wong, Senior Analyst, Atlantic Global Risk, for her hard work and contributions to this article.

[3] See Sean J. Griffith, Deal Insurance: Representation and Warranty Insurance in Mergers and Acquisitions, 104 U. Minn. L. Rev. 4 (Forthcoming) (2020)

[4] See Sean J. Griffith, Deal Insurance: Representation and Warranty Insurance in Mergers and Acquisitions, 104 U. Minn. L. Rev. 4-5 (Forthcoming) (2020)

[5] Sean J. Griffith, Deal Insurance: Representation and Warranty Insurance in Mergers and Acquisitions, 104 U. Minn. L. Rev. 53 (Forthcoming) (2020); C.L. Tyagi & Madhu Tyagi, Insurance Law and Practice, 146

[6] ABRY Partners V, L.P. v. F&W Acquisition LLC, 891 A.2d (Del. Ch. 2006); EMSI Acquisition, Inc. v. Contrarian Funds, LLC, et al., C.A. No. 12648-VCS (Del. Ch. May 3, 2017)

[7] Glenn D. West, That Pesky Little Thing Called Fraud: An Examination of Buyers’ Insistence Upon (and Sellers’ Too Ready Acceptance of) Undefined “Fraud Carve-Outs” in Acquisition Agreements, The Business Lawyer, Vol. 69 1053 (2014)

[8] Glenn D. West, That Pesky Little Thing Called Fraud: An Examination of Buyers’ Insistence Upon (and Sellers’ Too Ready Acceptance of) Undefined “Fraud Carve-Outs” in Acquisition Agreements, The Business Lawyer, Vol. 69 1055 (2014)

 

Richard is a Managing Director and Co-Founder of Atlantic Global Risk, a specialist transactional risk insurance broker. Richard is responsible for directing Atlantic’s strategic growth and direction, including identifying and developing new product lines.

Alvin is an Executive Director and the head of Atlantic’s Boston office, where he counsels clients on risk mitigation solutions for complex regulatory issues and other matters.


SJC Addresses the Enforceability of Settlements Entered Without Insurers’ Consent

by Austin Moody

Case Analysis

The Massachusetts Supreme Judicial Court (SJC) recently issued an important decision addressing three issues that can arise in the fairly common scenario in which an insurer recognizes its duty to defend its insured, does so under a reservation of rights, and then brings a separate action seeking a declaratory judgment that it owes no duty to indemnify its insureds.

In Commerce Ins. Co. v. Szafarowicz, 483 Mass. 247 (2019) the court addressed 1) whether the lower court properly denied the insurer’s motion to stay the underlying action until the question of its duty to indemnify had been determined in a declaratory judgment action, 2) whether the lower court properly denied the insurer’s motion to deposit its policy limit with the court – which would prevent the accrual of postjudgment interest, and 3) whether the insurer was bound by the settlement/assignment agreement the insured reached in the underlying matter.

The underlying case involved a wrongful death suit brought by the estate of David M. Szafarowicz.  On August 3, 2013, shortly after a verbal altercation at a bar, Mr. Szafarowicz was struck and killed by a vehicle operated by Matthew Padovano.  The vehicle was owned by Matthew’s father, Stephen Padovano, who had purchased an automobile insurance policy from Commerce Insurance Company (Commerce). Id. at 249 – 50.

Commerce agreed to defend the Padovanos in the underlying case.  In addition, Commerce agreed to pay the $20,000 in compulsory insurance offered by the policy.  However, it issued a reservation of rights regarding $480,000 in optional insurance based on the fact that the policy did not cover intentional acts and there was substantial evidence that Matthew Padovano struck the decedent intentionally.  Commerce subsequently brought a declaratory judgment action seeking to establish that it had no duty to indemnify the Padovanos. Id. at 250 – 51.

Less than three weeks before the trial of the underlying action, Commerce filed a motion to intervene in the case based on its claim that both plaintiff and defendants were presenting Mr. Szafarowicz’s death as arising out of negligence rather than an intentional act – ostensibly to maximize the available insurance coverage.  The judge denied the motion but held that Commerce would be allowed to challenge the fairness of the underlying litigation in the future.  Id. at 252 -53.  After the denial of its motion to intervene, Commerce moved to stay the wrongful death trial until after the question of insurance coverage was resolved in the declaratory judgment action.  Again, Commerce’s motion was denied. Id. at 253.

Shortly before trial, the wrongful death action was settled.  Matthew Padovano agreed that he was grossly negligent, the estate agreed not to enforce any judgment beyond the amounts payable by the insurance policy, and the Padovanos agreed to assign all rights under the Policy to the estate.  Commence objected to the settlement, but again, its motion was denied.  Judgment ultimately entered in the amount of $7,669,254.41 – $5,467,510 in damages plus prejudgment interest in the amount of $2,201,744.41. Id. at 254.

Commerce appealed, challenging the denial of its motions to stay the wrongful death action so that the declaratory judgment action could be adjudicated first, and the overruling of its objections to the settlement.  In addition, it sought to deposit the policy limits plus accrued postjudgment interest with the court.  Commerce’s objective was to limit its liability for future postjudgment interest under a policy provision stating “[w]e will not pay interest that accrues after we have offered to pay up to the limits you selected.”  Commerce’s motion to deposit the funds was denied and Commerce filed an interlocutory appeal.  On its own motion, the SJC transferred both appeals to its court. Id. at 254 – 56.

During the pendency of the appeal, Commerce prevailed in its declaratory judgment action in which the trial court held that the death was caused by Michael Padovano’s intentional conduct. The SJC therefore found that Commerce had no duty to contribute to the judgment above the $20,000 in compulsory insurance it had already paid.  However, under the terms of the policy, Commerce still had an obligation to pay postjudgment interest on the entire judgment

In its decision, the SJC addressed three issues.  First, the SJC found that the lower court did not abuse its discretion by denying Commerce’s motion to stay.  The Court found that Commerce did not suffer prejudice when the judge refused to stay the wrongful death action pending a resolution of the coverage dispute.  Commerce was protected from prejudice based on the fact that it was subsequently permitted to challenge any underlying findings of negligence in the wrongful death action and was not bound by that court’s findings.  In fact, Commerce had successfully done so and prevailed in the coverage litigation.  Additionally, the Court found that it would be unfair to the claimant to delay the wrongful death action pending the resolution of the coverage case. Id. at 257 -58.

Second, the SJC found that the court did not abuse its discretion by denying Commerce’s motion to deposit the policy limits and accrued interest. Commerce was not permitted to prevent the accrual of postjudgment interest by conditionally depositing the policy limits plus accrued postjudgment interest with the court.  The Court held that in order to prevent the accrual of postjudgment interest, Commerce would have to agree to pay its limits without conditions or qualifications.  However, Commerce was actively seeking a declaratory judgment that it did not owe indemnity due to the intentional acts exclusion and, if successful, it planned to seek the return of the policy limits.  Therefore, Commerce could not prevent the accrual of postjudgment interest. Id. at 259.

Finally, the Court found that Commerce was only bound by the underlying settlement/assignment agreements to the extent that they were found to be reasonable by the trial court.  The SJC ruled that reasonableness should be considered based upon the “totality of the circumstances” including the facts bearing on the liability and damage aspects of plaintiff’s claim, as well as the risks of going to trial.  Id. at 265.  Because no reasonableness hearing was conducted by the trial court in this case, the SJC remanded for a hearing on the reasonableness of the settlement/assignment agreements. Id. at 267.

The SJC declined to consider an alternative inquiry into whether the settlement was collusive, because it opined that all settlement agreements of this nature – in which only the insurer is at risk of paying the plaintiff’s damages – can be characterized as somewhat collusive. It held that any concern an insurer may have that the plaintiff and the insured defendant have colluded to improperly inflate a settlement or stipulated judgment may be addressed as part of a reasonableness hearing.  Id. at 266 – 67.  Presumably, any settlement that was reached as the result of improper collusion would be determined to be unreasonable.  The Court also declined to join a minority of states that in all circumstances, “because of the risk of collusion, declare such settlement/assignment agreements to be unenforceable where an insurer has honored its duty to defend.”  Id. at 264.

The SJC noted that “the procedure we direct on remand is different from what we expect to happen in the future where an insurer successfully challenges a settlement/assignment agreement before judgment.” Id. at 267. In that event, the trial court “may decline to enter judgement in that amount and invite the parties to renegotiate “an agreement that might prove reasonable in amount”.  Id. at 267 – 68.

Ultimately, the SJC’s opinion provides helpful guidance as to how an insurer offering an insured a defense under a reservation of rights in Massachusetts should proceed.  It recognizes that the insurer will not always be bound by the findings of fact in an underlying case and preserves an insurer’s ability to challenge unreasonable settlements.

Austin Moody is an associate with White and Williams LLP in Boston, where he represents insurance carriers in complex coverage disputes.


Cyber/Privacy Insurance: A Very Brief Primer

Reisch_Alanby Alan M. Reisch

Practice Tips

“If you don’t know where you are going, you might wind up someplace else.”
Attributed to Yogi Berra

Massachusetts has one of the country’s most stringent statutory and regulatory schemes relating to data privacy and security. The complexity and scope of available insurance products dealing with “cyber” exposures, in Massachusetts and throughout the business world, has dramatically increased over the past several years and is now as fractured and complicated as is the law, which differs from state to state and from country to country. Insurance underwriters, insurance brokers, technologists, security professionals, pundits and others offer conflicting advice about how to best move through this maze of insurance policies, technology, and the many potentially applicable state and federal regulations that often conflict. Imagine that there is growing apprehension that a company is at risk. At some point, a lawyer is called to advise on insurance protection. What is that lawyer to do?

The first step is to establish a team of professionals and client representatives who will, together, work through the issues that will allow the development of a meaningful strategy. The team should include the lawyer, an insurance professional, a technology resource (internal to the client’s business operations or external), and a representative of the client who is sufficiently vested with authority so that access to required information will be facilitated. Once the team is in place, the following should happen, in more or less this sequence:

1. The team should develop a realistic understanding of the client’s cyber/privacy and data risk profile. It is important to analyze not just electronic exposures, but traditional paper-based exposures as well. Among the many factors to consider are the following:

A.  The type and location of protected information that is procured, handled, managed and stored by the client. Protected information includes, but is not limited to, private personal information (which is defined differently in various jurisdictions and under different regulatory schemes but often consists of an individual’s first name, last name, and either a social security number, bank account number or other similar data point), and confidential business information.

B.  The federal, state, and local statutory and regulatory schemes that impact the client’s obligations with respect to protected information. Most states have adopted data privacy regimes that are grounded in statutes (in Massachusetts the applicable statute is Mass. Gen. Laws ch. 93H) and implemented through a series of regulations. Several federal agencies, including the FTC and the SEC, are focused in meaningful ways on the security of personal and other confidential information that is handled by businesses. Courts are, in most instances, finding statutory and regulatory support for robust enforcement actions by these agencies. It is important to keep in mind that many states, Massachusetts among them, have taken the position that their privacy schemes are meant to be protective of their citizens wherever those citizens conduct commerce.

C.  The commercial obligations that have been assumed by the client by contract or otherwise in connection with data security and privacy. These should be charted, and compliance measured.

D.  The security of non-electronic records that contain protected information.

E.  The client’s network and electronic information storage infrastructure. As with non-electronic records, this infrastructure should be assessed by qualified professionals, and a plan should be established for correction of deficiencies.

2.  Next, insurance coverage that is already in place should be reviewed. Among the policies to be reviewed are:

A.  General Liability policies

B.  Directors and Officers Liability policies

C.  Errors and Omissions policies

D.  Fiduciary policies

E.  Crime policies

F.  Professional Liability policies

G.  Commercial Property policies

The risk profile that has been developed should be reviewed in the context of the insurance coverage that is present in these policies (there are no true “standard forms” and careful, term-specific analysis is required). The insurance professional who is part of the team should assist in identifying potential exposures that are not within the scope of the existing coverage.

3.  Having established a risk profile, assessed the protection afforded by the insurance coverage in place and begun the process of correcting deficiencies, the team should next consider whether existing coverage should be supplemented, including whether stand-alone cyber/privacy coverage should be procured. The policy wordings that might be employed to supplement existing policies, and the policy forms that are available as stand-alone products, are not standard forms of insurance. Nearly all wordings can and should be specially negotiated.

As the stand-alone cyber/privacy insurance market has evolved, these general coverage types have become “standard” in most offerings (with the caveat that while the coverage “type” may be standard, the implementation varies from insurer to insurer, and from product to product, in meaningful ways):

A.  Third party coverage against claims asserting a “data privacy wrongful act,” a “network security wrongful act,” or other similar coverage grant. This coverage affords the cyber/privacy equivalent of general liability coverage. A client purchases this coverage to protect against third party claims alleging damages due to the client’s handling of protected information.

B.  Third party coverage for claims relating to violation of intellectual property rights or copyright.

C.  Various types of first party coverages (coverage that will pay an insured for loss that the insured suffers itself, rather than indemnifying an insured for claims asserted by others), such as:

1.  Notification and related expense coverage;

2.  Coverage for regulatory fines and penalties;

3.  Coverage for the expense of recreating information that is damaged, compromised or destroyed as the result of a data security incident, or other covered occurrence;

4.  Coverage for the expense resulting from the inability to use a network or other asset as the result of a covered event; and

5.  Coverage for fines and penalties payable as the result of a failure to maintain appropriate levels of Payment Card Industry compliance in connection with credit or payment card exposures (this is not as generally available).

There are, of course, additional issues that will arise in the course of developing an appropriate mitigation strategy and insurance structure. For example, it may be necessary to allow an insurer, or several insurers, to independently audit a client’s infrastructure. It may be that an insurer adds exclusions to a policy that render otherwise appropriate coverage difficult to accept – for example, adding an exclusion that would allow an insurer to avoid payment obligations in the event that there is a change in network structure, levels of security protection, or the like. These types of potentially devastating exclusions, sometimes based on ambiguous terms that are difficult to either understand in an operational sense or manage, can make otherwise meaningful protection unacceptable.

So, dealing with the structure of an effective cyber/privacy insurance program requires knowing what you’ve got, knowing what’s lacking, and filling gaps in a targeted way. Know where you’re starting, understand the potential end points, and you’ll get where you’re going and not someplace unexpected.

Alan M. Reisch is a Director in the Litigation Group at Goulston & Storrs, as well as a Founder of the firm’s risk management affiliate Fort Hill Risk Management, and counsels clients in connection with insurance coverage and portfolio analysis, risk assessment and management, fraud, data privacy and other related issues.