Understand the nuts and bolts of cyber insurance before buying

Consider risk exposure, affordability, other factors when choosing a policy

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someonePrint this page

Answer­ing the grow­ing demand for cyber risk insur­ance, many car­ri­ers have joined the mar­ket. But buy­ing a pol­i­cy for an orga­ni­za­tion, espe­cial­ly for the first time, can be a con­fus­ing process.

Not only are insur­ance car­ri­ers incon­sis­tent in the type of cov­er­age they offer, buy­ing this type of insur­ance is dif­fer­ent than the more com­mon poli­cies, such as gen­er­al lia­bil­i­ty.

Busi­ness­es have a dif­fi­cult time deter­min­ing the prob­a­bil­i­ty of suf­fer­ing a loss and the poten­tial size of a claim,” says Bill Wag­n­er, a part­ner in the Indi­anapo­lis office of legal firm Taft. “In addi­tion, there are no stan­dard poli­cies.”

Dave Wasson, Hays Cos. cyber liability practice leader
Dave Was­son, Hays Cos. cyber lia­bil­i­ty prac­tice leader

One mis­con­cep­tion among buy­ers is risk expo­sure. For exam­ple, who bears the lia­bil­i­ty if a third par­ty, such as a pay­roll ser­vice, data ware­hous­ing or cloud provider, caus­es the breach?

Relat­ed: Cyber insur­ance com­pa­nies offer val­ue-added ser­vices

A lot of com­pa­nies assume that by sign­ing a con­tract with a ven­dor, they’ve out­sourced or got rid of the liability—and that’s almost nev­er the case,” says Dave Was­son, cyber lia­bil­i­ty prac­tice leader at insur­ance bro­ker­age Hays Cos.

A com­mon mis­take is rush­ing to buy a pol­i­cy with­out assess­ing the vul­ner­a­bil­i­ties first, says Chris­tine Mar­ciano, pres­i­dent and CEO at Cyber Data-Risk Man­agers, which spe­cial­izes in cyber insur­ance.

3c_cyber-insurance_121416Com­pa­nies should know first where their data is resid­ing, what type of data they are hold­ing, and the secu­ri­ty around their net­work and their employ­ees,” she says.

Some of the main cat­e­gories of cyber insur­ance cov­er­age are:

• Secu­ri­ty and pri­va­cy lia­bil­i­ty: Dam­ages relat­ed typ­i­cal­ly to data breach­es that affect a third par­ty.

• Reg­u­la­to­ry defense:Most poli­cies cov­er fines and penal­ties, in addi­tion to defense costs, for an inves­ti­ga­tion by a reg­u­la­to­ry agency.

• Data recov­ery: Costs for restor­ing or recre­at­ing data that was dam­aged or stolen.

• Cri­sis ser­vices: Ser­vices nec­es­sary after an actu­al or sus­pect­ed data breach; they could include com­put­er foren­sics, breach noti­fi­ca­tion, cred­it mon­i­tor­ing and pub­lic rela­tions.

• Busi­ness inter­rup­tion: Typ­i­cal­ly relates to loss of busi­ness income due to a cyber attack.

• Data extor­tion: Cov­er­age for inci­dents such as ran­somware attacks if the threat is deemed cred­i­ble.

Not all insur­ers include these cat­e­gories with the core pol­i­cy. Some offer them as add-on cov­er­age, as well as impose small­er cov­er­age lim­its.

What you need to know

Based on tips from Wag­n­er, Was­son and Mar­ciano, here are some basic things orga­ni­za­tions new to cyber insur­ance should know:

1. Pol­i­cy con­di­tions: Car­ri­ers may deny a claim if prac­tices or min­i­mum stan­dards that were list­ed in the cov­er­age appli­ca­tion are miss­ing or have changed. Know the con­di­tions you must fol­low for the cov­er­age to remain in effect.

Was­son strong­ly cau­tions against buy­ing the kind of pol­i­cy that impos­es the min­i­mum stan­dards or prac­tices con­di­tion. He calls it “essen­tial­ly a mis­takes exclu­sion” and says it’s not com­mon in oth­er types of insur­ance.

2. Exclu­sions: Just as impor­tant as what’s cov­ered is what isn’t. The list of exclu­sions can be exten­sive and include such things as net­work neg­li­gence (e.g. unpatched soft­ware), charge­backs (such as when cred­it card num­bers are stolen) and fail­ure to upgrade tech­nol­o­gy.

3. Expert pan­el: Most plans come with a preap­proved pan­el of cri­sis-response ven­dors. If you have an estab­lished rela­tion­ship with your own ven­dor, the insur­ance com­pa­ny may be will­ing to approve that com­pa­ny for the pan­el.

4. Pri­or acts: It could take a long time for a breach to be dis­cov­ered, which means cyber attack­ers could be lurk­ing in the net­work for months, and some­times years. Some car­ri­ers offer addi­tion­al cov­er­age for pri­or acts, inci­dents that the pol­i­cy­hold­er doesn’t know about yet and that hap­pened pri­or to the retroac­tive pol­i­cy date.

5. Juris­dic­tion: State laws are dif­fer­ent and, in the event of a law­suit, the loca­tion of the court will impact the inter­pre­ta­tion of the con­tract and the dam­ages.

Wag­n­er says the state law should be the lead­ing fac­tor in deter­min­ing the type of pol­i­cy and amount of cov­er­age and should be dis­cussed with the insur­ance bro­ker and legal team.

6. Pol­i­cy amount: Since there is not enough actu­ar­i­al data show­ing how much a loss would cost and the amount of the claim depends on var­i­ous vari­ables, there’s no gold­en rule for how much cov­er­age you will need.

Christine Marciano, Cyber Data-Risk Managers president and CEO
Chris­tine Mar­ciano, Cyber Data-Risk Man­agers pres­i­dent and CEO

Some com­pa­nies look to research such as Ponemon Institute’s Cost of Data Breach sur­veys. But Mar­ciano says it often comes down to what the com­pa­ny can afford.

(The lim­its) tend to be expen­sive and the small­er com­pa­nies often can’t go for the high­er lim­its,” she says.

Was­son says deter­min­ing the ade­quate lim­it is the most dif­fi­cult part of his job.

We know what a good pol­i­cy looks like,” he says, “so some­times the only ques­tion is: Is the insured will­ing to pay for the best pol­i­cy, or do they want the cheap­est thing that meets con­trac­tu­al oblig­a­tions?”

More sto­ries relat­ed to cyber insur­ance:
Chal­lenges and oppor­tu­ni­ties ahead for cyber insur­ance indus­try
As hacks mush­room, all signs point to boom in cyber­se­cu­ri­ty insur­ance
As threats mul­ti­ply, cyber insur­ance and tech secu­ri­ty indus­tries start to merge