Questions to Ask Your Cyber-Insurance Provider
The breach problem has increased and cyber insurance is on the radar screen for many CEOs. The U.S. Congress is likely to create supportive legislation for cyber-insurance as a vehicle for improved security data sharing and a market-based solution for managing out-of-control cyberisks. But can cyber-insurance add enough value, or will it spawn a bubble of ill-conceived policies collapsing in acrimony amidst denied claims? Time will tell, but one thing’s for sure: early adopters must pick their policies carefully.
Here’s what I told the audience a few weeks ago at the Gateway to Innovation conference. First a bit of background.
Origins of Cyber-Insurance
Cyber-insurance emerged due to the cyber-exclusion gap in conventional insurance policies that would otherwise cover IT-related losses due to fires, floods, physical theft or other scenarios necessitating system replacement or repair as well as data recovery. But the probabilities and circumstances surrounding cyberattacks (not to mention the impacts) were seen as too unpredictable. Thus, most current general liability insurance policies for larger enterprises explicitly don’t cover losses due to cyberattacks (whether originating from insiders or external hackers).
Closing the Gap
Cyber insurance closes the cyber-exclusion gap. Although insurance companies still don’t have a detailed actuarial basis for understanding the risks from cyberattacks, for an additional fee they will cover them. The market opportunity for insurance companies is simply too big to ignore. Big companies, like Lloyds and AIG are barreling in.
And now the Questions
So you have been assigned to evaluate consumer breach insurance. Congratulations! But what to do? Start by reviewing various different policies that are out there and then enter into discussions with a short list of carriers; at this point if not sooner you should also engage a good insurance broker. Here are some questions to ask (and your broker should identify more).
Does the policy have a retroactive date? Many policies only cover incidents or harm that occurred after the policy’s effective start date, or some retroactive date. With many breaches taking months to discover, or at least having some early stages playing out over prior months, it’s critical to understand the policies’ coverage windows. Also, what is the reporting window? How and when does the organization have to report incidents, or even just changes in its IT security environment, to avoid a claim being rejected?
Does the policy cover full “first party” damages? First party damages are those that your company has to shoulder directly. They can include breach notification costs, hardware and software repairs, data recovery, business interruption and fines and penalties as well as some legal costs. Note that it will be difficult to get coverage for something as ephemeral as the “reputation damage” that can occur after a breach. But is there any way to measure reputation value or damage that you could use under the policy? If so, what data do you need to start gathering, now and after any breach?
Does the policy cover full “third party” damages? Third party costs are those fall on your customers or partners but for which they may hold your organization accountable. Your organization may also be hit for costs borne by indirect customers, or customers of customers. It is critical to understand what is covered so you can react quickly and appropriately to events. Have your legal team review the policy, including Indemnification Agreements (that may hold the insurance carrier harmless in an event of a breach caused by your organization.)
Regulatory fines and penalties: Although cyber-insurance policies tend to cover first party costs, government fines and penalties may fall into a special category. Scrutinize the dollar amounts of coverage promised for fines and penalties in the policies, and any limitations or exclusions.
What about encryption? Some cyber-insurance policies will exclude coverage if a breach occurred on an unencrypted device. Even if some of an organization’s devices are encrypted, others may not be under its control. With bring your own device (BYOD) broadly predicted to become the dominant model in mainstream IT environments, how is your organization really doing on encryption, or on keeping sensitive data off of the BYOD environment? Organizations that do – despite the challenges – encrypt many devices require reporting tools that prove – at any given time – that a breached device was encrypted.
What types of incidents are covered? Some policies focus on consumer data breach scenarios, but organizations are also at risk of cyber-extortion, denial of service (DOS) and sabotage or vandalism, with some scenarios potentially resulting in third party actions such as online defamation, copyright or trademark actions, or other litigation. Are those scenarios included or do they require separate policies? And how are they covered?
After you’ve gone through the initial underwriting process, the insurance company will provide a draft policy. Review this very carefully with security staff, legal staff and your insurance broker. It is important to understand the riders for what will be covered and what will not be covered for what circumstances, how an incident is defined, how many incidents are covered and so forth.
Note that this article is written from the large organization’s perspective. Small businesses tend to get vaguely worded cookie-cutter types of policies, and it is hard to tell what they’re actually buying and how to collect on it. Larger organizations, however, currently may benefit from a bit of a “buyer’s market.” Cyber-insurance terms are becoming more favorable and it has been disclosed that policy-holders such as the recently-breach Target retail company have collected on their claims.
The buyer’s market has created a bit of a conundrum for insurance companies. To grab a bigger slice of the emerging opportunity they have to make their “whole product” more competitive. That can mean improving coverage, reducing exclusions or caveats, or reducing the rigor of assessments and reporting required from the policy-holders to the insurance company. Which has interesting implications I’d like to explore in a follow up post soon.