Today’s cyber risks come in all shapes and sizes, from disclosure of protected information due to hacking or employee negligence through network shutdown or impairment, regulatory violations, and everything in between.
Painfully aware that 100% cybersecurity is an impossibility, smart companies no longer focus exclusively on building cyber defenses. Instead, they are taking an enterprise approach to managing cyber risks, which includes development of a cybersecurity program that places attention on a number of issues, including network security, employee training and third-party risk. Even then, however, some cyber risks will remain.
Instead of simply living with those residual risks, more companies are taking a holistic approach to cyber risk management, which includes transferring residual cyber risk through insurance. Although it is no substitute for appropriate policies and practices, cyberinsurance that is appropriately tailored to a company’s unique risk profile can be a key component of an effective cyber risk management program.
What is cyberinsurance?
Cyberinsurance can provide much-needed tactical and financial support for companies confronted with a cyber incident. Generally speaking, the cyber policy’s first-party coverage applies to costs incurred by the insured when responding to a covered cyber event, while third-party coverage responds to claims and demands against the insured arising from a covered incident.
First-party coverage usually can be triggered by a variety of events, including the malicious destruction of data, accidental damage to data, power surges, IT system failure, cyber extortion, viruses and malware. Generally available first-party coverages include legal and forensic services to determine whether a breach occurred and, if so, to assist with regulatory compliance, costs to notify affected employees and/or third parties, network and business interruption costs, damage to digital data, repair of the insured’s reputation, and payment of ransom costs.
Third-party coverage can be implicated in a variety of ways, including by claims for breach of privacy, misuse of personal data, defamation/slander, or the transmission of malicious content. Coverage is available for legal defense costs, settlements or damages the insured must pay after a breach, and electronic media liability, including infringement of copyright, domain name and trade names on an internet site, regulatory fines and penalties.
Cyberinsurance typically provides for the retention of an attorney, a so-called breach coach, to coordinate the insured’s response to a cyber incident. An experienced coach can build an effective team of specialists and efficiently guide the company through the forensic, regulatory, public relations and legal issues that arise from a security incident. Given the complexities of the various federal and state laws pertaining to data breach notification, the increasing demands of regulators, and the scrutiny of the media and the class action bar, coverage for the retention of a skilled breach coach is perhaps the greatest benefit of cyberinsurance.
Obtaining cyber coverage
Although there is no standard application for cyberinsurance, insurers usually ask for similar types of information from the prospective insured, including customary financial data about the company, such as assets and revenues, number of employees, and planned merger and acquisition activity. In addition, cyberinsurance applications typically inquire as to the volumes and types of data the company handles, the existence of updated written policies and procedures approved by a qualified attorney, compliance with security standards and regulations, existing network security, prior breaches, security incidents and claims, information management practices, and a variety of related issues.
Care should be taken to accurately complete the application, which will become part of the policy if one is issued. Applications may require the signature of the company’s president, CEO, and/or CIO, who must attest to the accuracy of the company’s responses. Inaccurate information provided in the application may jeopardize coverage if a claim is later tendered under the policy.
Choosing the right cyberinsurance policy
Unlike more traditional forms of insurance, there currently are no standardized policy forms for cyberinsurance, and policies often contain “manuscripted” provisions agreed to by the insurer and the insured during the negotiation of the policy. Policy terms, including grants of coverage, exclusions and conditions, vary among the 60 or so carriers that currently issue cyber policies, and numerous coverage options are offered by cyberinsurers.
Given this reality, companies need to ensure that the cyber policy they purchase is appropriate for their specific cyber risk profile. For example, if a company entrusts its data to third parties, it will want coverage for third-party risks. If it maintains an active social media presence, it will want media liability coverage. And as more regulations are enacted around cybersecurity and data-handling practices, coverage for regulatory fines is increasing in importance for many entities.
In addition to the coverages provided by cyberinsurance after a cyber event, some cyberinsurers offer free or discounted prophylactic or “loss control” benefits to improve their insured’s cyber risk profile. Loss control services can include information governance tools, information management counseling, employee training, risk assessments, and review of vendor contracts.
Because of the variety and complexity of the cyber policies on the market, companies are urged to consult with knowledgeable and experienced professionals to help negotiate the most favorable policy terms and limits to fit the company’s needs. Care should be taken to ensure that the policy adequately addresses the company’s cyber risks and appropriately dovetails with the other coverages in the insured’s comprehensive insurance program. And instead of simply putting a completed cyberinsurance policy on the shelf with hopes that it will never have to be used, insureds should make sure that they fully understand the representations they made in their policy application, as well as any continuing obligations they have under the policy, so that they can fulfill their responsibilities and maintain coverage in the event of a claim.
For most companies, though, it should be a matter of finding the right cyber coverage, not whether to obtain cyber insurance at all. Companies will continue to be under threat, and new cyber dangers are emerging every day. Having a policy in place that is suited to your company’s particular risks and exposures is a very smart step toward implementing an effective and holistic cyber risk management program.
Judy Selby is a managing director, technology advisory services for BDO Consulting, focusing on cyberinsurance, cybersecurity, privacy and insurance issues. She can be reached at jselby@bdo.com.
Originally published on LegalTech News. All rights reserved. This material may not be published, broadcast, rewritten, or redistributed.
