Cyber insurance generally covers the risks of loss from system breaches, data losses and other wrongful acts of rogue employees or outside hackers. Coverage can be specifically crafted to the specific needs of your business, but common coverages often include:
- First-party coverage—Business interruption and extra expenses following a cyber event, such as forensic expenses, data restoration expenses and cyberextortion expenses
- Payment or reimbursement of data breach response costs—Legal fees to investigate the event, manage the breach response team and to interpret consumer protection and other laws; forensic investigation fees to determine scope and impact of breach; postage, public relations and other costs to notify third parties of the event; costs to provide credit restoration services to affected parties; and costs for call-center services and websites
- Third-party coverage—Legal fees to defend claims, such as class actions, or to manage regulatory investigations seeking potential fines or penalties
- Payment Card Industry (PCI) fines—Penalties and assessments, including breach-related fraud charges, card reissuance costs and administrative fees
Take action now to implement a plan for cybersecurity coverage that can protect your company. The following questions serve as a primer to help you get started.
1. How do I determine how much cyber coverage I need?
One common misconception is that only merchants processing credit cards need cyber coverage. There is no single formula you can use to determine your maximum foreseeable or maximum probable loss from a cyber event. Peer-group benchmarking can be useful, as can estimating a per-record amount for each compromised record (nonpublic customer or employee information, such as Social Security number, credit or debit card number, email address, account information, health-care record or other identifying information). Insurance industry breach response calculators can also provide some general guidance for discussions around setting limits. Calculating the potential impact of a business interruption loss is a bit trickier, but you can apply some of the same principles used in physical damage modeling and approximate the financial loss an interruption from a cyberevent might represent. Regardless of the means by which you quantify your risks, always be mindful that the threat landscape is very dynamic, and new exposures continue to emerge daily.
2. What key coverage issues should I consider when evaluating potential cyber insurance partners?
As with any insurance policy, risk managers should pay special attention to the precise policy wording. Cyber policies vary widely, and can be complicated because the industry has not settled on a common set of terminology, and because litigation has just started to search out language gaps. For example, you should focus on policy definitions that may narrow coverage to only certain systems or only encrypted devices and policy sublimits that cap available coverage at a lower dollar threshold, increasing your uninsured, out-of-pocket expense.
3. How should an insured evaluate potential markets?
The cyber insurance marketplace continues to be largely competitive with new entrants and new policy forms being introduced regularly. Overall market capacity continues to grow north of $500 million, with more than 30 active markets. Most Lloyd’s syndicates (lloyds.com) can offer policies without sublimits, and some United States markets are willing to do so for qualifying accounts. As noted above, you want to first make certain that the coverage is where it needs to be. Consider whether to have inside or outside legal review of the policy forms. Market share and claims experience vary greatly in this space, particularly in terms of primary insurance placements. Carefully evaluate the claims team and specific claims experience of leading candidates, such as whether they handle claims in-house or rely heavily on outside coverage counsel. When possible, meet with potential claim representatives from markets vying for your cyber placements.
4. What does the underwriting & application process entail?
If possible, give yourself a long on-ramp to properly identify your company’s cyber exposures. Preparing the application will involve other experts within your company, so budget extra time to get the application properly completed. Once the application is complete, plan for meetings and calls to walk through the options, select a primary market and start negotiating for enhancements and endorsements critical to your business. Also, most cyber quotes will come with binding subjectivities, usually around security protocols like encryption, and disaster recovery plans. It is best to clear all subjectivities prior to binding.
5. What is the process for reporting & managing claims?
Make sure to review your policy thoroughly for reporting requirements for actual or threatened claims, as well as reporting obligations for circumstances that might give rise to a claim. Be aware that your policy may require that you use preselected breach-response vendors or that you secure underwriter approval before engaging any vendors of your own. Make sure relevant stakeholders within your company understand this. Incorporate claims-reporting details into your incident response plan, and periodically verify that you have listed the proper individuals and provided them updated policy information.
6. What lessons can be learned from claims & losses to date?
Wide variations in cyber policy language, philosophies and experiences of various markets, and courts’ legal analyses make it difficult to broadly characterize claims expectations. At this stage in the development of the cyber insurance market, claims are unpredictable compared to more established lines of coverage. Coverage for costs associated with breach-related noncompliance with PCI Data Security Standards is a hotly contested topic—particularly potential distinctions between PCI “fines or penalties” and PCI “assessments,” as well as the language in the contractual liability exclusion. In addition, courts have begun to weigh in on disputes over coverage for cyber-related losses under other lines of coverage and how those policies interact with pure cyber policies. These opinions will show policyholders how to clarify “other insurance” language across all lines of coverage.
7. What loss prevention services do the insurers provide?
A few insurers offer “turn-key” breach response services. These require the policyholders to report any incident to a designated hotline, which activates the insurer’s panel of breach resources. However, many insurers will let the policyholder choose between a preapproved panel or its own vendors, subject to insurer consent. The policy will often have detailed information about what to do and whom to notify when the insured first suspects a breach. Read these provisions carefully and consult with your broker before taking any action.
8. What should we be doing to mitigate cyberrisks?
Have a documented and tested breach response plan that assigns roles to appropriate parties within your organization, lays out the steps that must be followed and includes detailed information about policy obligations and coverage requirements. Incident preparedness planning leads to prompt breach resolution and lower costs. Don’t let a lack of planning compromise your insurance recovery.