Cyber Risk and Insurance: What Every Business Leader Should Know, Part 2

cyber risk and insurance part 2.jpg

What Does Cyber Insurance Cover?

Cybersecurity Graphic

Cybersecurity is no longer just about risks to information assets. While originally designed to address third party privacy breaches, today many policies have been expanded to include broader third party and first party risks as well. For example, a cyber attack can now cause property damage or loss of physical assets that could also lead to financial loss from business interruption as well as liability from bodily injury or pollution. An assumption that coverage should rest within a property or terrorism policy may not be accurate.

Insurers also continue to address those first-party risks that could have a significant impact on revenue from attacks on corporate networks, extortion demands and the costs to restore compromised data. Below is a list of what can often be covered.

Insurable Assets:

  • Personally identifiable information and/or protected health information of employees or consumers
  • Confidential corporate information

Data Breach Response Costs:

  • Notification
  • Credit monitoring
  • IT forensics
  • Public relations
  • Defense costs and civil fines from a privacy regulatory action
  • Defense costs and damages from civil litigation

Corporate Information Technology Network:

  • Costs to restore compromised data
  • Reimbursement for costs associated with an extortion threat

Operational Technology:

  • A few insurers have begun to extend coverage beyond the information technology network to also include operational technology, such as industrial control systems.
  • Can include bodily injury and property damage

Reputation and Brand:

  • Insuring reputational risk from some form of cyber event remains out of scope for the majority of insurers
  • At the time of writing, the London market has begun to innovate to address the financial loss after adverse media publicity
  • Capacity, however, is still constrained

A Comprehensive Insurance Solution

Network Security Liability
  • Claim expenses and damages arising from network and non-network security breaches
Errors & Omissions
  • Claim expenses and damages emanating from a wrongful act in the performance of or failure to perform technology services or other professional services
  • Claim expenses and damages emanating from your technology products’ failure to perform or serve the purpose intended
Multimedia Liability
  • Claim expenses and damages arising from personal injury torts and intellectual property infringement (except patent infringement)
  • Claim expenses and damages arising from electronic publishing (website) and other dissemination of matter
Data Breach Expense Reimbursement
  • Expense reimbursement for third-party reasonable and necessary costs, including:
    • Public relations costs
    • Legal and forensics expenses
    • Credit protection, mailing and tracking, call center, etc.
  • Addresses three scenarios— mandatory, contractual and voluntary
Privacy Liability
  • Claim expenses and damages emanating from a violation of a privacy law or regulation
  • Common law invasion of privacy or infringement of privacy rights
Cyber Extortion
  • Reasonable and necessary expenses and any funds paid in connection with an extortion attempt
Privacy Regulatory Proceedings + Fines
  • Claim expenses in connection with a regulatory inquiry, investigation or proceeding
  • Privacy regulation civil fines and consumer redress fund
  • PCI DSS fines and assessments
Network Business Interruption + Data Restoration and Reputation Harm
  • Loss of net income and extra expense

Ten Key Coverage Items—The Devil is in the Details

When considering the purchase of cyber insurance, it is important that you take into consideration the following:

  1. Full Prior Acts Coverage

Insurers try to limit coverage to acts from the first day that the policy begins, known as the retroactive date. However, in the context of the challenges in detecting an attack, buyers should seek to remove this exclusion and avoid the risk of a claim denial.

  1. Restrict Knowledge and Notice of a Circumstance to the Executive Team

Again, it is important that the policy not allow an insurer to impute liability to the whole enterprise because detection has proven to be a challenge.

  1. Security Warranty

Remove any language that tries to warrant that security is maintained to the same level as represented in the underwriting submission. The dynamic nature of the risk leaves this too open to insurer interpretation in the event of a loss.

  1. Operational Technology

The majority of insurance policies provide coverage only to the corporate IT network. If relevant, ensure language is broadened to also address operational technology such as industrial control systems.

  1. Outside Counsel

Choice of counsel must be agreed upon at the outset. In the event of a security breach, a dedicated legal expert must take the response lead not least for attorney-client privilege. Negotiating with an insurer during the event would be counterproductive.

  1. IT Forensics

In a similar vein to choice of counsel, the preferred forensics firm must be agreed upon upfront. Forensics are not inexpensive and can form a significant part of the overall cost.

  1. Law Enforcement

Law enforcement is typically involved in a major security breach. In fact many times the FBI, the agency leading cybersecurity corporate defense, notifies the enterprise before it becomes aware of the breach. A claim should not be excluded by an insurer for “failure to disclose as soon as practicable” if law enforcement advised nondisclosure during the investigation.

  1. War and Terrorism

Many insurance policies exclude acts of war and terrorism, which must be deleted with the emergence of the nation-state adversary in particular.

  1. Intentional Act

Ensure that coverage addresses the employee or insider as perpetrator acting in isolation of the executive team.

  1. Continuity of Coverage

When renewing the insurance policy with the same insurer, avoid signing a warranty regarding a circumstance or claim.

What Does Cyber Insurance Not Cover?

Intellectual Property Assets

Theft of one’s own corporate intellectual property (IP) still remains uninsurable today as insurers struggle to understand its intrinsic loss value once compromised. The increasing difficulty in simply detecting an attack and, unlike a breach of personally identifiable information (PII) or protected health information (PHI), the frequent lack of a legal obligation to disclose it suggest a solution is not in the immediate future.

Leveraging Cyber Insurance as a Risk Management Tool

Cybersecurity graphicSince 2009, the cyber marketplace has evolved to provide services to help buyers manage risk. Focused mainly on post-event response, turnkey products have emerged which provide a panel of legal, forensics and public relations specialists. Popular with smaller enterprises that lack the resources or relationships, this innovation has been a key component in increasing the relevance of cyber insurance and consequently its growth. Larger firms typically seek products based on breadth of coverage and the flexibility to use their own vendor network.

Services that help mitigate risk before an event occurs have started to emerge. Insurers will likely begin to incentivize buyers to adopt these services with rewards such as discounted premiums.

How Insurers Underwrite (Price) Cyber Risks—What You Should Know

Historically, underwriters have sought to understand the controls that enterprises leverage around their people, processes and technology. However, the majority of assessments are static, meaning they consist of a snapshot at a certain point in time through the completion of a written questionnaire, a phone interview or a presentation. A consensus is growing that this approach is increasingly redundant and that insurers will seek to partner with the security industry to use tools that can help predict and monitor the threat as part of the underwriting process. The goal is to adopt a more data-centered process in which threat intelligence is utilized as part of the underwriting process. In fact, this has already started to happen as certain insurers are using technology to underwrite vendor and M&A activity risk.

Fundamentally, insurers look for a strong security culture within a firm as the first step in risk triage. Additional factors such as industry, revenue size and actual assets at risk also contribute to how the risk is underwritten and ultimately priced.


About the Author

Laura Walton

Laura Walton is a senior vice president for Lockton, the world’s largest privately held, independent insurance broker. Laura specializes in providing expert advice to small and large business owners and executives on risk assessment and management strategies. Her experience includes advising venture capital and private equity firms regarding insurance strategies associated with merger and acquisition transactions and her expertise spans the financial services, food processing, technology, life sciences, retail, transportation and manufacturing sectors.

Connect with Laura:

LinkedIn Logo  Website URL


Published: 04/17/2017

Contact OneAccord