Not all cyber insurance is created equal: Tips for businesses shopping for coverage

Embracing best security practices is a starting point; no typical coverage yet exists

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someonePrint this page

(Editor’s note: This is part three a three-part series on the emerg­ing cyber insur­ance market.)

The grim warn­ings from cyber­se­cu­ri­ty and risk-man­age­ment experts are clear: The poten­tial finan­cial loss­es from cyber attacks should be tak­en as seri­ous­ly as the car­nage wreaked by fires, floods, hur­ri­canes and earthquakes.

As more busi­ness­es explore buy­ing cyber insur­ance to cush­ion the impact of cyber crimes, there are dozens of key fac­tors to weigh before tak­ing the plunge. Here are a few tips for busi­ness­es seek­ing cyber coverage:

Under­stand your company’s risk of exposure

Before buy­ing cov­er­age, com­pa­nies must have a clear under­stand­ing of their risks, which can vary wide­ly depend­ing on the indus­try, type of busi­ness, exist­ing net­work secu­ri­ty and oth­er factors.

Com­pa­nies and insur­ers should dis­cuss “the fun­da­men­tals of good secu­ri­ty” and how secu­ri­ty prac­tices influ­ence cov­er­age and pre­mi­ums, advis­es PwC in its 2014 report “Man­ag­ing Cyber Risks with Insur­ance.” The Nation­al Insti­tute of Stan­dards and Tech­nol­o­gy (NIST) issued com­pre­hen­sive cyber­se­cu­ri­ty guide­lines in 2014.

Robert Parisi, man­ag­ing direc­tor at Marsh FINPRO, writes in an email inter­view: “Once the risk is under­stood, then the insur­ance dis­cus­sion begins as a bro­ker assists the client in procur­ing cov­er­age that address­es the risks that are of great­est concern.”

Cyber­se­cu­ri­ty is a crit­i­cal issue that should involve the entire man­age­ment team

Sur­pris­ing­ly, many exec­u­tives still see cyber attacks only as a tech­nol­o­gy or secu­ri­ty issue, when it is a crit­i­cal busi­ness issue that dra­mat­i­cal­ly affects a company’s oper­a­tions, its cus­tomers, its brand and reputation.

PwC’s 2014 report advis­es that com­pa­nies “should not rel­e­gate cyber­se­cu­ri­ty to an iso­lat­ed tech­nol­o­gy func­tion that is detached from enter­prise risk management.”

Always involve legal coun­sel and top exec­u­tives in all areas when pur­chas­ing and renew­ing cyber poli­cies, says Jerold Oshin­sky of the Kasowitz Ben­son Tor­res & Fried­man law firm.

Check whether your tra­di­tion­al busi­ness insur­ance poli­cies cov­er any cyber-relat­ed incidents

Jerold Oshinsky, Kasowitz Benson Torres & Friedman law firm partner
Jerold Oshin­sky, Kasowitz Ben­son Tor­res & Fried­man law firm partner

It’s ear­ly in the legal game and still under debate whether tra­di­tion­al busi­ness poli­cies cov­er the many aspects of cyber attacks. In some cas­es, exist­ing busi­ness poli­cies still may apply.

Direc­tors-and-offi­cers (D&O) cov­er­age, for exam­ple, may cov­er some cyber claims “if exec­u­tives have not done what may be rea­son­ably nec­es­sary to pro­tect against a data breach event, includ­ing pur­chas­ing ade­quate insur­ance,” says Oshin­sky, who rep­re­sents Cot­tage Health­care Sys­tems in a major cyber-insur­ance case against CNA’s Colum­bia Casualty.

Colum­bia alleges that Cot­tage and its tech­nol­o­gy con­sul­tant Insync Com­put­er Solu­tions did not main­tain ade­quate cyber­se­cu­ri­ty, lead­ing to the expo­sure on the Inter­net of 32,000 patient records. A Cal­i­for­nia judge recent­ly tossed the case, telling the legal par­ties to go through alter­na­tive dis­pute res­o­lu­tion to set­tle the matter.

Care­ful­ly eval­u­ate stand-alone cyber policies

More busi­ness­es are explor­ing cus­tom, stand-alone cyber poli­cies designed for their indus­tries and lev­el of risk. Insur­ance may cov­er breach­es of pri­va­cy, lost and dam­aged data, inter­rup­tion of busi­ness, legal and inves­tiga­tive costs, cred­it mon­i­tor­ing of cus­tomers, cri­sis man­age­ment and many oth­er poten­tial costs.

In gen­er­al, poli­cies require that pol­i­cy­hold­ers fol­low “best prac­tices” or “min­i­mum required prac­tices” in their cyber­se­cu­ri­ty, includ­ing strong secu­ri­ty soft­ware and fire­walls, emer­gency response to cyber attacks, train­ing for employ­ees, and oth­er practices.

Free IDT911 white paper: Breach, Pri­va­cy, And Cyber Cov­er­ages: Fact And Fiction

There is no such thing as a typ­i­cal pol­i­cy for small to large busi­ness­es. Com­pa­nies may pay any­where from $1,000 to more than $100,000 for the same $10 mil­lion in cov­er­age, depend­ing on the indus­try and risk pro­file, says Jason Straight, senior vice pres­i­dent and chief pri­va­cy offi­cer at Unit­edLex.

Accord­ing to Parisi at Marsh FINPRO, “costs vary too much for any esti­mate to be mean­ing­ful” with­out look­ing at “the size of the appli­cant, indus­try class, the ele­ments of cyber cov­er­age pur­chased, etc.”

Watch for pol­i­cy exclusions 

Defin­ing exclu­sions in cov­er­age also is espe­cial­ly tricky. Insur­ers, for instance, may balk at cov­er­ing pol­i­cy­hold­ers who do not prac­tice vig­i­lant secu­ri­ty. And pol­i­cy­hold­ers may not read the fine print of poli­cies, or agree to exclu­sions that are too broad and vague.

In Law 360, part­ners Daniel Mar­vin and Robert Stern of the Stern & Mon­tana law firm advise that busi­ness­es hunt­ing for cyber insur­ance must “ful­ly under­stand the terms and scope of cov­er­age and any exclu­sions in poten­tial policies. …”

Insur­ers are look­ing more close­ly at high-risk cov­er­ages such as legal and reg­u­la­to­ry costs—especially as gov­ern­ment scruti­ny increas­es in the finan­cial, retail and health­care sec­tors. Under­writ­ers may trim such cov­er­age if busi­ness­es do not have sol­id cyber­se­cu­ri­ty mea­sures and “essen­tial prac­tices” in place, accord­ing to Parisi.

Seek advice from a good attor­ney, insur­ance bro­ker or oth­er third-par­ty vendor 

Shop­ping for a cyber pol­i­cy is not as easy as buy­ing auto or home­own­ers cov­er­age. Giv­en the com­plex­i­ty of cyber poli­cies, busi­ness­es should con­sult with an expe­ri­enced, trust­wor­thy expert before plung­ing in.

A first-rate advis­er can “eas­i­ly walk a client through an appli­ca­tion” for insur­ance, Parisi says, or go through a more in-depth analy­sis involv­ing “risk prob­a­bil­i­ty, sce­nario mod­el­ing, bench­mark­ing and cov­er­age comparison.”

Straight at Unit­edLex says it’s crit­i­cal for busi­ness­es to find a knowl­edge­able lawyer who under­stands the company’s indus­try and the intri­ca­cies of cyber cov­er­age. Also look for a sharp bro­ker who knows risk assess­ment, cyber poli­cies and the best insur­ance car­ri­ers. Ask many ques­tions and ask for references.

There are so many nuances in the insur­ance space, and not all cov­er­age is cre­at­ed equal,” Straight says. “So get­ting good coun­sel and the right insur­ance bro­ker is real­ly important.”

Part 1: Cyber insur­ance mar­ket aris­es to meet secu­ri­ty, pri­va­cy challenges. 
Part 2
: Despite bar­ri­ers, cyber insur­ance is catch­ing on in key sec­tors.


Posted in News & Analysis