Adjust Your Cyber Insurance Expectations

Your company may think it has adequate insurance coverage for a network breach, but there’s a good chance that it does not. According to the findings of a recent UK government report, over half of the companies surveyed thought they had the right coverage in place, while only 10 percent actually did. Another sizable group of those surveyed responded that they had no idea which of the many cyber risks facing their company even could be insured.

Going for Broker

The cyber insurance market is relatively young, and it is constantly evolving. By some estimates, there are more than 50 insurance companies underwriting this risk, and the market is growing. Importantly, these insurers differ in the coverage they offer and change their products over time. To make sense of it all, companies should consider working with an insurance broker that has a strong cybersecurity practice. These brokers do the legwork for you. They are able to understand your company-specific needs, review your existing policies, determine your gaps in coverage, explore what coverage is available across the industry, and find competitive pricing (including for small and medium sized businesses).

What’s For Sale?

Regardless of how much you are willing to spend, it turns out that some losses are currently uninsurable in the general marketplace. You will be out of luck, for example, if you try to purchase insurance to cover the value of your company’s stolen intellectual property. On the other hand, the market is increasingly robust when it comes to covering expenses associated with notifying customers of a data privacy breach; the costs of replacing, recreating, repairing or restoring data, software or computer systems that are lost or damaged as the result of a breach; expenses associated with business interruption, as well as the reputational harm from a network outage or security incident; identity theft losses; responding to cyber threats and extortion; defending against claims if your company inadvertently transmits malware to third parties; class action defense costs; regulatory action costs; and crisis management expenses.

Caveat Caveats

Beware of coverage exclusions and understand your policy requirements. Otherwise, the insurance you think you have may not be available when you need it. Exclusions are common if, for example, prior to obtaining the policy, your company knew or should reasonably have known that its network already was infiltrated by the hacker (or malware) giving rise to the claim. A number of policies will not provide coverage if the insured fails to take reasonable steps to keep its software patched and updated. Some policies cover physical damage (think about cyber attacks against control systems); others expressly exclude it. Many policies exclude coverage for data breach losses that occur when your data is on a third party vendor’s network. Some policies expressly include, while others expressly exclude, coverage for claims that are brought by governmental entities.

As for policy requirements, perhaps most important among these is knowing the steps your company must (or must not) take in the event of a claim or loss. Without insurer approval, admitting liability is almost always a no-no, as is settling a case or promising to make payments. In fact, oftentimes you cannot incur any costs or expenses that you intend to claim without the insurance carrier’s written agreement. Is your CEO about to announce free credit monitoring at this morning’s press conference? Beware.

Promises Promises

Purchasing insurance requires that your company make certain representations and warranties. Your cybersecurity and risk management team should be involved in this part of the process. Since all insurance policies are issued in reliance on the truth and accuracy of a company’s application and accompanying materials, all bets could be off in the face of an insured’s material misrepresentations or omissions. Your company may be asked about the controls it has in place to prevent, detect and contain cybersecurity incidents, and to attest to the fact that it actually implemented all of those security policies. Perhaps your company will warrant that, during the term of the coverage, it will use encryption and two-factor authentication. Regardless, it is important for your company to properly inform its promisors and to continuously track its promises.

Conclusion

If your company has not recently analyzed and assessed its cyber insurance coverage, the odds are that your company either thinks it has coverage in place that it does not, or that it thinks that it cannot obtain coverage that it can. With the help of outside experts, especially insurance brokers, it is easy to determine and address your cyber insurance needs. With the help of inside experts, it is important to ensure compliance with your cyber insurance representations and warranties.

Steven Chabinsky is global chair of the Data, Privacy, and Cyber Security practice at White & Case LLP, an international law firm. He previously served as a member of the President’s Commission on Enhancing National Cybersecurity, the General Counsel and Chief Risk Officer of CrowdStrike, and Deputy Assistant Director of the FBI Cyber Division. He can be reached at chabinsky@whitecase.com.

ON DEMAND: In this webinar, Regina Lester, Vice President of Security & Safety Operations at Toledo Zoo, will share her insights on implementing security technologies in the entertainment sector and the challenges all organizations face — large and small — when it comes to balancing budget and security.