This post was written by Brian Himmel, Andy Moss, David Weiss and Cristina Shea.
A recent study reports that the median amount of time between a breach of a company’s computer network and the discovery of the incident is 229 days. But some cyberliability policy forms require that both the breach event and discovery of loss (or resulting claim) occur during the policy period. So what happens when a breach is discovered three months into the policy period but, unbeknownst at the time, the intrusion actually occurred six months before, or even earlier? If your company’s cyberliability insurance policy excludes breach events occurring before the inception of the policy period, the company could find itself without coverage for an otherwise-covered claim or loss.
The use of retroactive dates and extended reporting periods to avoid such a gap in coverage is addressed in a Client Alert issued by members of Reed Smith’s Insurance Recovery Group. Retroactive dates extend the policy’s coverage back to a date earlier than the actual policy period, with the goal of covering events that already occurred but had not been discovered at the time the policy was purchased. An extended reporting period lengthens the period of time, beyond the expiration of the policy period, during which a claim or loss can be made against the insured and reported to the insurance company. These provisions can provide a critical protection under a cyberliability insurance program given the delays that may exist between a breach and its discovery.