Although cyber insurance has been around for a few years now, since it is still a fairly new concept and the industry is expected to grow exponentially in the near future, companies may have questions. Lynda A. Bennett, Chair of Insurance Coverage Practice at the law firm of Lowenstein Sandler, LLP, in Roseland, New Jersey, spoke with Securityabout the ins and outs of cyber insurance. As an attorney specializing in these types of claims, Bennett represents enterprises, not insurers.
Cyber insurance can cover one or more areas such as security or privacy breaches, the costs associated with such a breach, the expenses incurred by the interruption of business should a breach occur, any multimedia liability associated with a breach, cyber extortion and expenses related to regulatory compliance, says the National Association of Insurance Commissioners. As of October 2014, only 26 percent of companies had a cyber insurance policy, though that number had increased 150 percent since 2012. In contrast, one Ponemon Institute study showed that cyber crime costs for retail stores in the U.S. more than doubled from 2013 to 2014 and grew considerably in the financial services, technology and communications sectors as well.
Bennett has seen interest in cyber insurance grow in the last year, thanks in part to the barrage of security breaches at large companies that are constantly in the news. These stories are “opening the eyes of every industry to the fact that security risks and hackers are active and trying to get at your data, no matter what type of industry or company you are,” she says.
How Useful is Cyber Insurance?
Cyber insurance is useful in two main ways, says Bennett. Because the underwriting process is relatively vigorous, it helps companies start looking more closely at their technology, services and vendor process. Companies need to make sure they have technology in place to protect their information, that they’re using vendors who follow best practices regarding security, and that they’re outsourcing their information responsibly. “The underwriting process has been very helpful to companies to start some of their gap analysis and to modify some of their internal policies and procedures,” she says.
Secondly, the peace of mind in having the cyber policy will help the company manage business interruption claims that may result from a data breach since insurance resources are available. “Also the liability coverage that is offered on these policies is obviously very helpful if there are going to be extensive regulatory investigations, notifications, costs, class action lawsuits or things of that nature. You’ll have insurance in place to protect against those risks,” says Bennett.
The truth is, cyber insurance is very complicated. “The devil really is in the details because there are 40 different policy forms out there right now, and you need to make sure you’re negotiating the right policy for your particular company’s needs,” she says. “It’s also still fairly expensive.” Because of the expense, companies need to decide what size limit to buy and what size self-insured retention – the amount that must be paid by the insured before the policy kicks in and coverage can be accessed – to get.
What Should Businesses Be Demanding in their Cyber Insurance Coverage?
Several specific considerations need to be taken into account when deciding what to include in cyber insurance coverage. If you need to get coverage for PCI fines and assessments, make sure that’s included and that it’s enough for your needs. “That’s a significant difference among the coverage policies that are out there right now,” Bennett says. “Some carriers will agree to add that coverage by endorsement and typically when they do add it, they don’t give you the full policy limit on it; they’ll put a sub-limit on it. For example, they’ll cover up to $500,000 or $1,000,000 in PCI fines and assessments that you may receive from regulators.”
Another issue is defining computer systems or networks. “You need to give consideration as to whether that’s limited to just the company’s computer software and hardware, and if you’re using third-party vendors, what you need to do to get coverage for information that’s stored there,” says Bennett. The definition may need to be modified on the policy or, at the very least, companies need to make sure that the third-party vendors they are using have sufficient cyber coverage in place for the information they’re protecting.
Bennett wants people to realize that the placement process for cyber insurance is a bit different than it is for ordinary insurance policies. Along with the application, you also have to provide a representations and warranties letter that describes your cyber preparedness and who within the organization has been polled before making that representation warranty. “I want to make sure that companies carefully read those letters and understand that they can be subject to negotiation. It’s not something that you want to just sign,” Bennett says. “You really need to pay careful attention to the representation and warranties that you’re making and on behalf of who in your organization because if after a claim is presented, for example, some lower-level employee has information or knew that there was a potential chink in the shield and it didn’t make its way up to the chief IT officer, you don’t want this coverage that you spent a lot of money on to not be available because they’re going to say they’re rescinding the policy or you’ve made a material misrepresentation, so they’re not covering you.”
Obviously companies want the broadest coverage terms and the narrowest exclusions, but “these policies are very tricky, and you really want to make sure the policy is customized to the specific risks that your company faces,” says Bennett. “For example, a retailer may want to put more of a limit into that PCI sub-limit, whereas a financial broker dealer securities firm may not care about that as much because they don’t interact with people’s credit card information. The key to these policies is customizing them to your particular risks and the industry that you’re in. The cyber risks are really different industry by industry.”
What Should Policyholders Know about their Chances when Making Legitimate Claims?
Policyholders need to be sure to let the insurance company know immediately when there is a claim. The reason for this is that these policies are written on a “claims-made basis,” which means that if a business puts off giving the insurance company notice, the insurers may be able to void coverage for the claim entirely by saying that the business waited too long to tell them about it. “The most common mistake I see people make in this respect is when the claim first comes in, they have an expectation, belief, or a hope that it will stay within the self-insured retention so they don’t need to let the insurance company know. What happens is the claim takes on a life of its own and gets much bigger, and then the insurance company says you waited too long to tell them about it, so no coverage,” Bennett says.
Another reason to give the insurance company immediate notice of the claim is that as far as self-insured retentions, the insurance companies will not give the company credit for losses incurred until they have been notified, she says. “If you’re going to start spending money on a data breach claim, you want the carrier to know about it right away so that you don’t face a late notice defense and so that you’re eroding that self-insured retention as soon as possible.”
What Makes Businesses an Attractive Risk to Insurance Companies?
“To be an attractive risk, you need to have some very detailed data management policies and procedures or best practices in place, so when you go to apply for the cyber policy, an insurer is going to be more likely to work with you and issue a policy at a competitive price,” Bennett says. Knowing details like where and how electronic data is stored, security controls that are in place, disaster planning if there is a breach, the chain of command as far as who is called, and the steps that would be taken to minimize a breach if it were to occur, all help make a company a much more attractive risk, she says. “Having good policies and procedures in place already makes you an attractive risk because number one, if you have all of these controls in place on the front end, it reduces the likelihood that you’re going to experience a breach at all. Two, if you do experience a breach, it’s likely that it will be a smaller risk than companies that haven’t already done the work to manage their data and are starting from square one.”
What Should Companies that Are Looking into Obtaining Cyber Insurance Know?
Bennett recommends working with a knowledgeable broker that specializes in this type of coverage, as well as including counsel in the discussion. “There are some companies that use a broker to do all of their traditional policy placements, and that’s fine, but they would be well-served to go to a specialist on these cyber policies because the terms, the conditions, the pricing, the available limits, are literally changing on a monthly, if not weekly, if not daily, basis. You want to be working with a person who is in this market and placing this coverage day in and day out. That’s the best way to insure the best deal,” she says.
She also highly recommends coordinating internally. “You need the risk management folks, the board of directors, and people from your IT department to be involved in the discussion because one of the other things that I’ve seen in advising our clients is a lot of times, with all of these security measures, it’s about creating a shopping list and prioritizing,” she says. This helps in deciding which policy to buy, at what rate, what premium, and what levels, but there’s an additional benefit to including these people. Other risk management tools can be decided on and implemented to minimize losses as well. “There’s a cost to everything, and it’s about balancing resources on cybersecurity among all those options. You really need the whole team to be involved in that decision making process,” says Bennett.
Is It Worth It to Have Cyber Insurance Coverage?
Bennett says yes. “As I said before, the devil is in the details, but where we come out on it at the end of the day is that you’re better to have an insurance policy in place and available to you when you face a catastrophic data breach risk than to have nothing at all because with nothing at all, it’s entirely out of the company’s profits.”