Understand the nuts and bolts of cyber insurance before buying

Consider risk exposure, affordability, other factors when choosing a policy

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someonePrint this page

Answering the growing demand for cyber risk insurance, many carriers have joined the market. But buying a policy for an organization, especially for the first time, can be a confusing process.

Not only are insurance carriers inconsistent in the type of coverage they offer, buying this type of insurance is different than the more common policies, such as general liability.

“Businesses have a difficult time determining the probability of suffering a loss and the potential size of a claim,” says Bill Wagner, a partner in the Indianapolis office of legal firm Taft. “In addition, there are no standard policies.”

Dave Wasson, Hays Cos. cyber liability practice leader
Dave Wasson, Hays Cos. cyber liability practice leader

One misconception among buyers is risk exposure. For example, who bears the liability if a third party, such as a payroll service, data warehousing or cloud provider, causes the breach?

Related: Cyber insurance companies offer value-added services

“A lot of companies assume that by signing a contract with a vendor, they’ve outsourced or got rid of the liability—and that’s almost never the case,” says Dave Wasson, cyber liability practice leader at insurance brokerage Hays Cos.

A common mistake is rushing to buy a policy without assessing the vulnerabilities first, says Christine Marciano, president and CEO at Cyber Data-Risk Managers, which specializes in cyber insurance.

3c_cyber-insurance_121416“Companies should know first where their data is residing, what type of data they are holding, and the security around their network and their employees,” she says.

Some of the main categories of cyber insurance coverage are:

• Security and privacy liability: Damages related typically to data breaches that affect a third party.

• Regulatory defense:Most policies cover fines and penalties, in addition to defense costs, for an investigation by a regulatory agency.

• Data recovery: Costs for restoring or recreating data that was damaged or stolen.

• Crisis services: Services necessary after an actual or suspected data breach; they could include computer forensics, breach notification, credit monitoring and public relations.

• Business interruption: Typically relates to loss of business income due to a cyber attack.

• Data extortion: Coverage for incidents such as ransomware attacks if the threat is deemed credible.

Not all insurers include these categories with the core policy. Some offer them as add-on coverage, as well as impose smaller coverage limits.

What you need to know

Based on tips from Wagner, Wasson and Marciano, here are some basic things organizations new to cyber insurance should know:

1. Policy conditions: Carriers may deny a claim if practices or minimum standards that were listed in the coverage application are missing or have changed. Know the conditions you must follow for the coverage to remain in effect.

Wasson strongly cautions against buying the kind of policy that imposes the minimum standards or practices condition. He calls it “essentially a mistakes exclusion” and says it’s not common in other types of insurance.

2. Exclusions: Just as important as what’s covered is what isn’t. The list of exclusions can be extensive and include such things as network negligence (e.g. unpatched software), chargebacks (such as when credit card numbers are stolen) and failure to upgrade technology.

3. Expert panel: Most plans come with a preapproved panel of crisis-response vendors. If you have an established relationship with your own vendor, the insurance company may be willing to approve that company for the panel.

4. Prior acts: It could take a long time for a breach to be discovered, which means cyber attackers could be lurking in the network for months, and sometimes years. Some carriers offer additional coverage for prior acts, incidents that the policyholder doesn’t know about yet and that happened prior to the retroactive policy date.

5. Jurisdiction: State laws are different and, in the event of a lawsuit, the location of the court will impact the interpretation of the contract and the damages.

Wagner says the state law should be the leading factor in determining the type of policy and amount of coverage and should be discussed with the insurance broker and legal team.

6. Policy amount: Since there is not enough actuarial data showing how much a loss would cost and the amount of the claim depends on various variables, there’s no golden rule for how much coverage you will need.

Christine Marciano, Cyber Data-Risk Managers president and CEO
Christine Marciano, Cyber Data-Risk Managers president and CEO

Some companies look to research such as Ponemon Institute’s Cost of Data Breach surveys. But Marciano says it often comes down to what the company can afford.

“(The limits) tend to be expensive and the smaller companies often can’t go for the higher limits,” she says.

Wasson says determining the adequate limit is the most difficult part of his job.

“We know what a good policy looks like,” he says, “so sometimes the only question is: Is the insured willing to pay for the best policy, or do they want the cheapest thing that meets contractual obligations?”

More stories related to cyber insurance:
Challenges and opportunities ahead for cyber insurance industry
As hacks mushroom, all signs point to boom in cybersecurity insurance
As threats multiply, cyber insurance and tech security industries start to merge