Cyber insurance can help protect a company that has been the victim of a cyber incident. When confidential information is breached, a company will face a variety of losses and expenses. Insurance should be part of a company’s risk and compliance management plans and policies. Cybersecurity and an effective response plan can help protect a company and mitigate these losses and expenses.
There have been many articles written about the risks of cyber crime and the need for cyber insurance to protect against arising financial loss; however, cyber policies themselves remain poorly understood by many agents and most insureds. Let’s shed some light on why that is the case and some of the key concepts to watch.
Cyber insurance can be confusing. Most companies did not actively evaluate these risks until Sony Corp. of America was hacked in 2011. At that time, Zurich American Insurance Company declined Sony’s claim under the general liability policy, as commercial general liability (CGL) language in effect at that time did not contemplate cyber incidents and associated data losses. This was an eye-opening initial outcome that has since been appealed and settled. But since that time, cyber policies have been expanding to supplement and cover the risks that traditional, or “standard lines" of, coverage does not wish to underwrite.
The insurance industry to date has taken an overall ad hoc approach to creation of cyber coverage. There is currently no standard form, as each carrier has its own policy. Carriers often use their own definitions or define words differently than might be anticipated. This makes coverage in policies from different carriers very difficult to compare without a detailed analysis, even for professionals working in the insurance industry and in the cyber incident space. To further complicate things, many forms provide some cyber coverage at lower sublimits, leading insureds to believe they have sufficient coverage, when in fact they do not.
Coverage pricing is also volatile, meaning pricing alone cannot even be used to differentiate adequate or inadequate coverage levels. Insurance depends on actuarial tables to rate risk; if insuring buildings and boats, this works very well. Actuarial tables have existed for hundreds of years on these items, providing underwriters a sense of the risk of loss. Also, when a building burns down or a ship sinks, it is almost always reported.
This is not the case with cyber incidents. Many events and losses go unreported for reasons ranging from lack of coverage to not wanting to alarm vendors, clients, or employees. This makes insurance in the cyber-related sector much more difficult to predict and rate compared with other lines.
When one looks closely, cyber insurance can be broken down into two broad categories: third-party and first-party coverage. Types of coverage available include hacksurance, theft and fraud, business interruption, forensic investigation, data loss and restoration, extortion, and reputation. Let’s go deeper into these starting with third-party coverage.
Third-party coverage generally deals with liability to others. If a failure in an insured network causes someone damage or financial harm, the third-party coverages can be called on to indemnify. Risks range from losing data to spreading a virus to other businesses. Almost all cyber insurance policies cover at least some of these liabilities. Business owners should pay special attention to confirm what is covered and when the insurance provider can pay or reimburse damages. For instance, if part of a network is not controlled by a company (i.e., certain network operations are outsourced to another company), this could be excluded on some policies, and losses arising out of the noncontrolled network would not be covered.
In addition to what is covered, who is covered can be just as important. Some policies do not cover losses of employee data. This can be a huge gap in coverage as employers have all sorts of information on their employees (such as medical information from health insurance applications, banking and payroll information, and social security numbers). Business owners should not assume, and should confirm, that current cyber insurance policies include employees as part of their coverage.
While most policies have similarities when covering liabilities, the major differentiation in cyber insurance policies is found in the first-party coverages. This type of coverage is for losses that occur to the insured for damage to their own network or data. As previously stated, cyber insurance policies are all different. For example, one provider might call their business interruption coverage “Cyber Business Interruption.” Another might include this in a suite of coverages with a catchy name, such as “BrandGuard” or “Network Defender,” whereas other policies might not offer this at all, or simply remain silent.
First-party coverages are almost always listed with their own limits on the declarations pages of the policy. This means they can be sublimited. A policy with a $3 million limit listed, for example, might only have a $100,000 sublimit for notification expenses. Beyond a company checking its own coverage to make sure limits are appropriate, it is also important for companies to check this when dealing with vendors and outsource providers. An insurance certificate would generally list the $3 million top-line limit, which might not apply to all coverage in the policy.
So, how can a company assure that it is covered for cyber incidents? The obvious answer is to put a knowledgeable team together: CFO, COO, CIO, and other stakeholders and business units who would be aware of the risks that pose threats to the business. Next, companies need to discuss these in detail with their insurance agents. They need to spend the time to review the associated coverage closely and make sure coverage is set at the appropriate levels to cover the identified risks.
Beyond that, companies need to make sure all employees understand how important the cybersecurity of the company’s network is, and to devote time to training on how to avoid losses from happening in the first place. Last, companies also need to ensure that they have a documented response plan. They need to take this seriously and test the response plan on a periodic, but regular, schedule as it should be part of their normal operational plans and policies.
The National Institute of Standards and Technology (NIST) provides the following examples of financial, operational, legal, and reputational business impacts and risks regarding cyber incidents:
Brent J. Elstrom, RPLU
Vice President, Kamm Insurance Group