All enterprises, regardless of their size and scope, face cyber risk. As technology grows increasingly sophisticated, so do cyber-attacks. This is why it pays to be prepared with both a cybersecurity plan and cyber-liability insurance.
Any organization that depends on an IT infrastructure to create cash flow, or conduct business, should look to cyber insurance as a key part of a risk management strategy, advises Peter Hawley, vice president, insurance, at Axio, a global cyber-risk management firm. Should the worst happen, cyber insurance will help the policy holder deal with the incident at the time and recover and remain operational, he notes.
Most enterprises bundle cyber-liability insurance along with other types of general business insurance coverage. Some organizations, however, turn to independent providers to see if they can obtain better pricing, says Steven Aiello, security, and compliance practice director with business technology consulting firm AHEAD. “Prices are going up almost universally, and coverage is becoming harder to get at reasonable price points,” he observes.
The first step in obtaining affordable cyber insurance is finding a broker who is well-versed in coverage terms and has access to several different insurance markets, says Mark Dobrow, a vice president in the insurance brokerage division of Segal, a human resources and employee benefits consulting firm. “Market knowledge and experience is limited due to the relative newness of the product as compared to the long history of standard property coverages,” he explains. “The right broker can tailor the coverage to your needs and should know which markets are best for a particular situation.”
An organization that lacks a comprehensive understanding of its cyber risk, and fails to deploy relevant preventative measures, can put itself at a distinct disadvantage when shopping for a cyber-insurance policy. “Following the past few years of significant losses from cyber incidents, insurers are looking for customers who can demonstrate risk maturity and are not seeking insurance as a means for replacing good cyber-risk hygiene,” Hawley says.
Cyber-insurance policies are generally designed to cover data breaches, system attacks, and system failures. Insurers typically respond to a claim by providing a breach response service, supplying both forensics and legal experts, Dobrow says. Most insurers will also handle the necessary notifications to breached parties, including letters, call center services, credit monitoring, and identity theft restoration support.
Besides providing first-party responses, a cyber-insurance policy should include third-party coverage as well, since there may be stakeholders who decide to seek legal action, regardless of the enterprise's initial public response. Additional important coverage areas include ransomware, extortion, and business interruption reimbursements, Dobrow notes.
When shopping for cyber-insurance coverage it's important to understand that brokers aren't necessarily cyber-security experts. As insurance experts, they will align the business needs presented to them with the appropriate products available in the market. To ensure accurate alignment, applicants must convey their specific needs to the broker, Hawley advises.
The biggest mistake cyber-insurance applicants make, Aiello says, is paying poor attention to detail. “Businesses must ensure technology is being deployed in line with the insurance firm's conditions, otherwise insurers can attempt to get out of paying a claim if the technology was not ‘properly implemented’,” he warns.
Unfortunately, the language used in cyber-insurance policies isn't always consistent between providers. “Therefore, having a full overview of what's available can be difficult to obtain without an investment of time and energy,” Hawley cautions.
Sealing the Deal
While finding an affordable policy is important, having a full understanding of the proposed coverage should always come first. “Obtaining competitive options, if available, is a great way to view carriers side-by-side [to compare] coverage and premiums,” Dobrow says.
Other factors to consider include deductibles, sub-limits, and the exact wording of specific endorsements. “A knowledgeable broker can be invaluable in providing guidance and assuring the right fit,” Dobrow says.
Dynamic risks lead to dynamic marketplaces, and there's few markets more active than cyber-insurance. “Questions posed to, and expectations of businesses by insurance carriers, move with the threat vectors,” Hawley says. Engaging with insurers at the same speed as the various threat vectors is important to presenting the best image of your organization's risk maturity. “Insurance policies are focused on making a policyholder whole again and being able to communicate your risk to your insurer is a core component,” he notes.
Applicants should always pay close attention to a policy's fine print. An insurer, for example, may claim that it will no longer cover nation-state attacks. “That’s a very broad statement -- what does it mean?” Aiello asks. “Does it mean if a nation-state attacks a power grid, and power is no longer available, will coverage be denied, or will a claim be accepted?”
The devil, as always, is in the details.