[BreachExchange] Ten Tips On Cyber Liability Insurance

Audrey McNeil audrey at riskbasedsecurity.com
Thu May 17 18:01:11 EDT 2018


IT, we have a problem. Reports of cybersecurity incidents continue to come
in thick and fast. In November 2017, Equifax announced a mammoth data
breach that it estimated would cost more than $140 million to address.
Pharmaceutical giant Merck reported production slowdowns costing almost
$500 million. The city of Atlanta spent $2.7 million to deal with a
ransomware attack from the Petra virus. And irony of ironies, the Dutch
Data Protection Authority sheepishly admitted that it had leaked the names
of some of its own employees.

PwC estimates that cyber incidents cost the global economy $400 billion
annually – and this figure will grow. As costs escalate, organizations look
for ways to manage the risk. Insurers have responded to the demand. One
increasingly popular option is cyber insurance. In a decade, cyber
insurance has exploded from an obscure niche specialty form of coverage to
one that is expected to generate $7.5 billion in premiums by 2020.

Against this backdrop, what do companies need to know about cyber
insurance? Here are our top ten thoughts:

1. Existing Policies Likely Will Not Protect You. While the issue has been
extensively litigated in recent coverage disputes, subsequent revisions to
Commercial General Liability, Directors & Officers Liability, and other
standard policies bar cyber-related claims. Such claims include those
arising from data breaches that involve unauthorized access to or
disclosure of confidential information, and ransomware (including the loss
of the use of electronic data).
2. No Standard Policies. Unlike other areas, the insurance industry has yet
to coalesce around a standard set of terms that constitute a “typical”
cyber insurance policy. The good news is that this enables companies to
negotiate bespoke policies that conform to their specific risk profile. For
example, a health care entity may have extensive post-breach notification
requirements. On the other hand, software support providers may have no
notification requirements, but they may have exposure because of extensive
contractual indemnification obligations. The two entities will have
different risk profiles, and consequently may have different insurance
3. Know Your Minimum Requirements. Any insurance purchase exercise should
map available policy benefits against operational realities. The policy
limits are the most obvious concern: a $100,000 policy limit provides
little protection against a $10,000,000 contingency. But other issues can
be equally significant. How is an occurrence determined? For instance, if
each compromised customer is a separate occurrence with its own
self-insured retention or deductible, you may never meet your deductible.
Does the policy limit coverage only to your own systems? In an era of cloud
computing and vendor integration where third-party systems play key roles
in your overall IT posture, this would leave a significant gap in coverage.
Check your contractual, structural, and regulatory risk before entering the
insurance market.
4. Examine the Fine Print. Do not rely on the glossy marketing materials
the insurer sends your broker. The scope of coverage is controlled by the
policy language. Policy provisions are not always consistent with
promotional materials. Consequently, you need to carefully analyze the
provisions of the policy itself to evaluate its responsiveness to your
needs. If a provision raises red flags, or you identify a critical coverage
gap, take up the issue with the insurer. Or direct your broker to solicit
additional options.
5. Watch out for Pitfalls. Common policy provisions can significantly
undermine coverage. For instance, one recurring issue is a policy that
predicates coverage on meeting specific benchmarks. Have candid
conversations with your IT staff in order to ensure that any such
benchmarks are realistic. For instance, policies may exclude coverage for
unencrypted data. If it is impractical or excessively cumbersome to encrypt
all data as a matter of course, this exclusion is a major land mine.
Another problematic provision is the “Failure to follow your own policy
provision.” Even the most diligent company may fall short of universal
adherence to internal requirements, e.g., there may be a delay in
installing software patches. Such shortfalls are unavoidable. Make sure
they do not void coverage.
6. Beware the Contractual Exclusion. One rider warrants special attention:
the “contractual exclusion.” This provision typically denies coverage for
any obligation that the insured has contractually undertaken. Significant
risks flow from standard business commitments. These range from Payment
Card Industry (PCI) protocols to indemnification obligations to Federal
Acquisition Regulations (FAR) compliance. Therefore, the contractual
exclusion can effectively eviscerate your coverage. It would be hyperbole
to suggest that any cyber insurance policy with a contractual exclusion
offers illusory protection, but such provisions need to be carefully
7. Regulatory Concerns. Government regulators from the SEC to the New York
Department of Financial Services are increasingly inclined to assess cyber
insurance coverage as a key component of a responsible cybersecurity
strategy. Accordingly, you should evaluate proposed policies from the
regulatory perspective: a risk that cannot be completely alleviated may be
acceptable if mitigated via appropriate insurance arrangements. Insurance
coverage should be a place to reinforce your overall regulatory compliance
program. And depending on the provisions of the policy, legal or technical
assistance in responding to regulator queries might be an available benefit.
8. Premium Issues. In the health insurance context, individuals can qualify
for rebates or benefits by ceasing smoking or losing weight. Cyber
insurance offers analogous cost savings. Adoption of recommended security
practices, mandating specified training, or undertaking security risk
reviews can result in lower premiums. Insurers may even assist with these
exercises. In those cases, you get the benefit of the insurer’s accumulated
expertise, while the insurer gets to lower its potential exposure and to
better evaluate its underwriting risk.
9. Evaluate the Experts. One potential coverage benefit, or restriction, is
the requirement to use insurer-contracted experts in the event of a claim.
These experts provide services ranging from public relations/crisis
response to forensics to negotiators to legal counsel. It is critical that
a company is comfortable with the outside experts who will assist it in the
event of a cyber crisis. Some insurers will even make their contracted
response teams available for preventative “table-top” exercises with their
insureds’ cybersecurity teams. If such an opportunity presents itself, take
it. The premium savings alone could justify the exercise. The improved
security posture would be priceless.
10. Talk to your Broker and Counsel. The nuances in this area elevate the
importance of your insurance broker. Your broker is familiar with the
market. Which insurers have a reputation for responsiveness? Prompt
payment? Good recovery staff? What policy provisions conform to your risk
profile? They should be prepared to explore the market and negotiate on
your behalf. In addition, it is generally advisable to have the policy
language reviewed by legal counsel, as both the technology and the law in
this area are evolving rapidly.

For good or otherwise, the cyber insurance market is still in a state of
flux. The good news is that companies have the ability to shop around,
compare various offerings, and negotiate premiums and provisions. The flip
side is that this requires you to do your homework before calling your
broker. Know what you want and what you are looking for, and engage with
your advisors to ensure you get the coverage you need.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20180517/1fd518ad/attachment.html>

More information about the BreachExchange mailing list