Cyber Risk and Insurance: What Every Business Leader Should Know, Part 2
What Does Cyber Insurance Cover?
Cybersecurity is no longer just about risks to information assets. While originally designed to address third party privacy breaches, today many policies have been expanded to include broader third party and first party risks as well. For example, a cyber attack can now cause property damage or loss of physical assets that could also lead to financial loss from business interruption as well as liability from bodily injury or pollution. An assumption that coverage should rest within a property or terrorism policy may not be accurate.
Insurers also continue to address those first-party risks that could have a significant impact on revenue from attacks on corporate networks, extortion demands and the costs to restore compromised data. Below is a list of what can often be covered.
- Personally identifiable information and/or protected health information of employees or consumers
- Confidential corporate information
Data Breach Response Costs:
- Credit monitoring
- IT forensics
- Public relations
- Defense costs and civil fines from a privacy regulatory action
- Defense costs and damages from civil litigation
Corporate Information Technology Network:
- Costs to restore compromised data
- Reimbursement for costs associated with an extortion threat
- A few insurers have begun to extend coverage beyond the information technology network to also include operational technology, such as industrial control systems.
- Can include bodily injury and property damage
Reputation and Brand:
- Insuring reputational risk from some form of cyber event remains out of scope for the majority of insurers
- At the time of writing, the London market has begun to innovate to address the financial loss after adverse media publicity
- Capacity, however, is still constrained
A Comprehensive Insurance Solution
|Network Security Liability
||Errors & Omissions
||Data Breach Expense Reimbursement
|Privacy Regulatory Proceedings + Fines
||Network Business Interruption + Data Restoration and Reputation Harm
Ten Key Coverage Items—The Devil is in the Details
When considering the purchase of cyber insurance, it is important that you take into consideration the following:
- Full Prior Acts Coverage
Insurers try to limit coverage to acts from the first day that the policy begins, known as the retroactive date. However, in the context of the challenges in detecting an attack, buyers should seek to remove this exclusion and avoid the risk of a claim denial.
- Restrict Knowledge and Notice of a Circumstance to the Executive Team
Again, it is important that the policy not allow an insurer to impute liability to the whole enterprise because detection has proven to be a challenge.
- Security Warranty
Remove any language that tries to warrant that security is maintained to the same level as represented in the underwriting submission. The dynamic nature of the risk leaves this too open to insurer interpretation in the event of a loss.
- Operational Technology
The majority of insurance policies provide coverage only to the corporate IT network. If relevant, ensure language is broadened to also address operational technology such as industrial control systems.
- Outside Counsel
Choice of counsel must be agreed upon at the outset. In the event of a security breach, a dedicated legal expert must take the response lead not least for attorney-client privilege. Negotiating with an insurer during the event would be counterproductive.
- IT Forensics
In a similar vein to choice of counsel, the preferred forensics firm must be agreed upon upfront. Forensics are not inexpensive and can form a significant part of the overall cost.
- Law Enforcement
Law enforcement is typically involved in a major security breach. In fact many times the FBI, the agency leading cybersecurity corporate defense, notifies the enterprise before it becomes aware of the breach. A claim should not be excluded by an insurer for “failure to disclose as soon as practicable” if law enforcement advised nondisclosure during the investigation.
- War and Terrorism
Many insurance policies exclude acts of war and terrorism, which must be deleted with the emergence of the nation-state adversary in particular.
- Intentional Act
Ensure that coverage addresses the employee or insider as perpetrator acting in isolation of the executive team.
- Continuity of Coverage
When renewing the insurance policy with the same insurer, avoid signing a warranty regarding a circumstance or claim.
What Does Cyber Insurance Not Cover?
Intellectual Property Assets
Theft of one’s own corporate intellectual property (IP) still remains uninsurable today as insurers struggle to understand its intrinsic loss value once compromised. The increasing difficulty in simply detecting an attack and, unlike a breach of personally identifiable information (PII) or protected health information (PHI), the frequent lack of a legal obligation to disclose it suggest a solution is not in the immediate future.
Leveraging Cyber Insurance as a Risk Management Tool
Since 2009, the cyber marketplace has evolved to provide services to help buyers manage risk. Focused mainly on post-event response, turnkey products have emerged which provide a panel of legal, forensics and public relations specialists. Popular with smaller enterprises that lack the resources or relationships, this innovation has been a key component in increasing the relevance of cyber insurance and consequently its growth. Larger firms typically seek products based on breadth of coverage and the flexibility to use their own vendor network.
Services that help mitigate risk before an event occurs have started to emerge. Insurers will likely begin to incentivize buyers to adopt these services with rewards such as discounted premiums.
How Insurers Underwrite (Price) Cyber Risks—What You Should Know
Historically, underwriters have sought to understand the controls that enterprises leverage around their people, processes and technology. However, the majority of assessments are static, meaning they consist of a snapshot at a certain point in time through the completion of a written questionnaire, a phone interview or a presentation. A consensus is growing that this approach is increasingly redundant and that insurers will seek to partner with the security industry to use tools that can help predict and monitor the threat as part of the underwriting process. The goal is to adopt a more data-centered process in which threat intelligence is utilized as part of the underwriting process. In fact, this has already started to happen as certain insurers are using technology to underwrite vendor and M&A activity risk.
Fundamentally, insurers look for a strong security culture within a firm as the first step in risk triage. Additional factors such as industry, revenue size and actual assets at risk also contribute to how the risk is underwritten and ultimately priced.