January 6, 2017
Understand the Nuts and Bolts of Cyber
One misconception among buyers is exposure. For example, who bears the liability if a third party, such as a payroll service, causes the breach?
Answering the growing demand for cyber risk insurance, many carriers have joined the market. But buying a policy for an organization, especially for the first time, can be a confusing process.
Not only are insurance carriers inconsistent in the type of coverage they offer, but buying this type of insurance is different than the more common policies, such as general liability.
“Businesses have a difficult time determining the probability of suffering a loss and the potential size of a claim,” says Bill Wagner, a partner in the Indianapolis office of legal firm Taft. “In addition, there are no standard policies.”
One misconception among buyers is risk exposure. For example, who bears the liability if a third party — such as a payroll service, data warehousing or cloud provider — causes the breach?
See also: Promise, Pitfalls of Cyber Insurance
“A lot of companies assume that by signing a contract with a vendor, they’ve outsourced or got rid of the liability — and that’s almost never the case,” says Dave Wasson, cyber liability practice leader at insurance brokerage Hays Cos.
A common mistake is rushing to buy a policy without assessing the vulnerabilities first, says Christine Marciano, president and CEO at Cyber Data-Risk Managers, which specializes in cyber insurance.
“Companies should know first where their data is residing, what type of data they are holding, and the security around their network and their employees,” Marciano says.
Some of the main categories of cyber insurance coverage are:
- Security and privacy liability: Damages typically related to data breaches that affect a third party.
- Regulatory defense: Most policies cover fines and penalties, in addition to defense costs, for an investigation by a regulatory agency.
- Data recovery: Costs for restoring or recreating data that was damaged or stolen.
- Crisis services: Services necessary after an actual or suspected data breach; they could include computer forensics, breach notification, credit monitoring and public relations.
- Business interruption: Typically relates to loss of business income due to a cyber attack.
- Data extortion: Coverage for incidents such as ransomware attacks if the threat is deemed credible.
Not all insurers include these categories with the core policy. Some offer them as add-on coverage as well as impose smaller coverage limits.
See also: The State of Cyber Insurance
What you need to know
Based on tips from Wagner, Wasson and Marciano, here are some basic things organizations new to cyber insurance should know:
1. Policy conditions: Carriers may deny a claim if practices or minimum standards that were listed in the coverage application are missing or have changed. Know the conditions you must follow for the coverage to remain in effect.
Wasson strongly cautions against buying the kind of policy that imposes the minimum standards or practices condition. He calls it “essentially a mistakes exclusion” and says it’s not common in other types of insurance.
2. Exclusions: Just as important as what’s covered is what isn’t. The list of exclusions can be extensive and can include such things as network negligence (e.g. unpatched software), chargebacks (such as when credit card numbers are stolen) and failure to upgrade technology.
3. Expert panel: Most plans come with a preapproved panel of crisis-response vendors. If you have an established relationship with your own vendor, the insurance company may be willing to approve that company for the panel.
4. Prior acts: It could take a long time for a breach to be discovered, which means cyber attackers could be lurking in the network for months — and sometimes years. Some carriers offer additional coverage for prior acts, incidents that the policyholder doesn’t know about yet and that happened prior to the retroactive policy date.
5. Jurisdiction: State laws are different and, in the event of a lawsuit, the location of the court will impact the interpretation of the contract and the damages.
Wagner says the state law should be the leading factor in determining the type of policy and that the amount of coverage should be discussed with the insurance broker and legal team.
6. Policy amount: Since there is not enough actuarial data showing how much a loss would cost and the amount of the claim depends on various variables, there’s no golden rule for how much coverage you will need.
Some companies look to research such as Ponemon Institute’s Cost of Data Breach surveys. But Marciano says it often comes down to what the company can afford.
“(The limits) tend to be expensive, and the smaller companies often can’t go for the higher limits,” she says.
See also: Cyber Rules May Be Only Weeks Away
Wasson says determining the adequate limit is the most difficult part of his job.
“We know what a good policy looks like,” he says, “so sometimes the only question is: Is the insured willing to pay for the best policy, or do they want the cheapest thing that meets contractual obligations?”
This article was first published on ThirdCertainty and was written by Rodika Tollefson.