CYBER INSURANCE
In an increasingly connected world, no organization is immune from cyber-attacks. Whether they come sooner or later, you can be assured that they will come at some point. In the cybersecurity community, they talk about two kinds of businesses: those that have been breached and those that don’ t realize they have been breached.
With more and more companies experiencing data breaches, the market for cyber insurance has grown exponentially in recent years. Unfortunately, cyber insurance is not as straightforward as many other types of insurance. Fortunately, that means it can be tailored to your company and you won’ t get stuck with a one-size-fits-all policy.
Most cyber policies are offered on an a la carte basis, which allows policyholders to negotiate the terms and conditions they require and purchase coverage which will fit their individual needs. It is critical, however, to understand what you need from your cyber insurance and assess your business and its risks when trying to find the best coverage.
There are six essential aspects of cyber insurance which you should understand moving forward:
1. LIMITS AND SUBLIMITS Hands down, the issue of limits and sublimits is the most important aspect to understand. The cost of an attack, even a small one, can wind up in the millions of dollars. Policyholders need to be absolutely sure that their overall limits are within the scope of their level of risk. Doing this requires taking into consideration the costs associated with a potential data breach in conjunction with the limits of liability available. A broker is invaluable in this process.
Next, sublimits must be examined. These are extra limitations in the coverage of certain losses. They do not provide extra coverage per se, but they do set a maximum to cover specific losses. Sublimits are often applied to specific coverage areas, such as crisis management expenses, regulatory costs, or notification costs.
2. VENDOR ACTS AND OMISSIONS Along with the interconnectivity of the modern business environment is the entry of third-party vendors who store, process, and analyse data for businesses. While they make doing business easier, and often reduce overhead, they also represent a source of exposure. It is critical that your cyber liability policy will cover claims resulting from breaches caused by those third-party vendors.
3. RETROACTIVE COVERAGE Standard cyber policies place limits on( or outright deny) coverage for breaches occurring before a specified date. This applies even if the claim is made during the policy period. The date is typically going to be the date of the inception of the policy, but not always. Unfortunately, breaches often go undiscovered for weeks or months( or even longer). Having your policy extend retroactively is an essential aspect that shouldn’ t be overlooked. Often, retroactive coverage can extend one, two, five, or even ten years in the past, though some insurers offer unlimited extensions.
4. EXCLUSIONS Every type of insurance is going to carry exclusions which limit the overall coverage. Understanding these exclusions is important to understanding where you may still be exposed to risk. When it comes to cyber insurance, there are three very common exclusions:
• Outdated software – Outdated software poses significant risk. Insurers often will not cover claims related to tools which have become outdated and are not receiving regular maintenance.
• Unencrypted mobile devices and data – Encryption doesn’ t always mean data is safe, but many carriers view it as a benchmark of cyber security. Thus, it is important to understand whether or not proactive encryption costs would outweigh the alleviation of risk.
• Card issuer fines and penalties – Fines and penalties can be levied against an organization by card issuers, such as Visa, Mastercard, and American Express. These can be expensive and many policies exclude them.
Other common exclusions include bodily injuries and acts of foreign governments. Carefully go over your policy with a broker to understand when you are and are not covered under your current policy, and act accordingly.
5. PANEL PROVISIONS Often, insurers will have preferred vendors that they wish to use in the case of a breach. This means that having a pre-existing relationship with experts, legal professionals, or investigators will not matter if they are not approved by the carrier. Fortunately, this is an area which is often up for negotiation. It is important to make sure you have your chosen panel approved ahead of time, though, so you aren’ t left in the cold when the time comes to make use of it.
6. CONSENT PROVISIONS Cyber policies often contain consent provisions that require policyholders to obtain the consent of the insurer before incurring certain expenses related to cyber claims. These cyber claim expenses are often related to notifying customers that a data breach has taken place, conducting investigations, or defending against third-party claims. If prior consent provisions are included in the policy and cannot be removed, policyholders should at the very least change them to ensure the consent of the carrier cannot be unreasonably withheld.
MOVING FORWARD Cyber insurance is a relative newcomer to the industry. It is continuously evolving, just like the cyber threats that are constantly emerging. A proactive approach is essential to keeping cyberattacks at bay and ensuring proper coverage. Working closely with a broker specializing in cyber threats and insurance and consistently analysing your needs based on new information is essential to success.
For more information and to find out whether your needs are being met, contact Cooke Insurance Group today. +
27