Not all cyber insurance is created equal: Tips for businesses shopping for coverage
Embracing best security practices is a starting point; no typical coverage yet exists
By Edward Iwata, ThirdCertainty
(Editor’s note: This is part three a three-part series on the emerging cyber insurance market.)
The grim warnings from cybersecurity and risk-management experts are clear: The potential financial losses from cyber attacks should be taken as seriously as the carnage wreaked by fires, floods, hurricanes and earthquakes.
As more businesses explore buying cyber insurance to cushion the impact of cyber crimes, there are dozens of key factors to weigh before taking the plunge. Here are a few tips for businesses seeking cyber coverage:
Understand your company’s risk of exposure
Before buying coverage, companies must have a clear understanding of their risks, which can vary widely depending on the industry, type of business, existing network security and other factors.
Companies and insurers should discuss “the fundamentals of good security” and how security practices influence coverage and premiums, advises PwC in its 2014 report “Managing Cyber Risks with Insurance.” The National Institute of Standards and Technology (NIST) issued comprehensive cybersecurity guidelines in 2014.
Robert Parisi, managing director at Marsh FINPRO, writes in an email interview: “Once the risk is understood, then the insurance discussion begins as a broker assists the client in procuring coverage that addresses the risks that are of greatest concern.”
Cybersecurity is a critical issue that should involve the entire management team
Surprisingly, many executives still see cyber attacks only as a technology or security issue, when it is a critical business issue that dramatically affects a company’s operations, its customers, its brand and reputation.
PwC’s 2014 report advises that companies “should not relegate cybersecurity to an isolated technology function that is detached from enterprise risk management.”
Always involve legal counsel and top executives in all areas when purchasing and renewing cyber policies, says Jerold Oshinsky of the Kasowitz Benson Torres & Friedman law firm.
Check whether your traditional business insurance policies cover any cyber-related incidents
It’s early in the legal game and still under debate whether traditional business policies cover the many aspects of cyber attacks. In some cases, existing business policies still may apply.
Directors-and-officers (D&O) coverage, for example, may cover some cyber claims “if executives have not done what may be reasonably necessary to protect against a data breach event, including purchasing adequate insurance,” says Oshinsky, who represents Cottage Healthcare Systems in a major cyber-insurance case against CNA’s Columbia Casualty.
Columbia alleges that Cottage and its technology consultant Insync Computer Solutions did not maintain adequate cybersecurity, leading to the exposure on the Internet of 32,000 patient records. A California judge recently tossed the case, telling the legal parties to go through alternative dispute resolution to settle the matter.
Carefully evaluate stand-alone cyber policies
More businesses are exploring custom, stand-alone cyber policies designed for their industries and level of risk. Insurance may cover breaches of privacy, lost and damaged data, interruption of business, legal and investigative costs, credit monitoring of customers, crisis management and many other potential costs.
In general, policies require that policyholders follow “best practices” or “minimum required practices” in their cybersecurity, including strong security software and firewalls, emergency response to cyber attacks, training for employees, and other practices.
Free IDT911 white paper: Breach, Privacy, And Cyber Coverages: Fact And Fiction
There is no such thing as a typical policy for small to large businesses. Companies may pay anywhere from $1,000 to more than $100,000 for the same $10 million in coverage, depending on the industry and risk profile, says Jason Straight, senior vice president and chief privacy officer at UnitedLex.
According to Parisi at Marsh FINPRO, “costs vary too much for any estimate to be meaningful” without looking at “the size of the applicant, industry class, the elements of cyber coverage purchased, etc.”
Watch for policy exclusions
Defining exclusions in coverage also is especially tricky. Insurers, for instance, may balk at covering policyholders who do not practice vigilant security. And policyholders may not read the fine print of policies, or agree to exclusions that are too broad and vague.
In Law 360, partners Daniel Marvin and Robert Stern of the Stern & Montana law firm advise that businesses hunting for cyber insurance must “fully understand the terms and scope of coverage and any exclusions in potential policies. …”
Insurers are looking more closely at high-risk coverages such as legal and regulatory costs—especially as government scrutiny increases in the financial, retail and healthcare sectors. Underwriters may trim such coverage if businesses do not have solid cybersecurity measures and “essential practices” in place, according to Parisi.
Seek advice from a good attorney, insurance broker or other third-party vendor
Shopping for a cyber policy is not as easy as buying auto or homeowners coverage. Given the complexity of cyber policies, businesses should consult with an experienced, trustworthy expert before plunging in.
A first-rate adviser can “easily walk a client through an application” for insurance, Parisi says, or go through a more in-depth analysis involving “risk probability, scenario modeling, benchmarking and coverage comparison.”
Straight at UnitedLex says it’s critical for businesses to find a knowledgeable lawyer who understands the company’s industry and the intricacies of cyber coverage. Also look for a sharp broker who knows risk assessment, cyber policies and the best insurance carriers. Ask many questions and ask for references.
“There are so many nuances in the insurance space, and not all coverage is created equal,” Straight says. “So getting good counsel and the right insurance broker is really important.”