However, there are variations of frameworks, process models and risk transfer vehicles for most residual risks. When we explore & learn about the recent breaches in the last couple of years, we can apply those outcomes to our benefit.
Today’s cyber risks come in all shapes and sizes, from employee negligence through network shutdown or impairment, disclosure of protected information due to social engineering or hacking, to regulatory violations, and everything in between. Instead of focusing exclusively on building cyber IT defenses, taking an integrated enterprise approach to managing cyber risks is much more effective. This would include the development of a cyber security program that places attention on a number of issues, including employee training which is huge, network security, and third party risk management. Even then, however, some cyber risks will remain.
But, instead of simply absorbing these residual financial risks, more and more companies are transferring this liability through insurance. Although it is never a substitute for appropriate policies and practices, cyber liability insurance that is appropriately tailored to a company’s unique risk profile and tolerance can be a key component of an effective cyber risk management program. Companies are pivoting in their stance from “nice to have” to “must have,” with the majority of them having undergone an incident whether it was successful or not from an actual network breach.
If you outsource functions of your business that can put you at risk such as credit card processing, handling payroll, administering employee benefits, doing billing, accounting/tax services, processing banking information, background checks, credit checks or even simply doing business in the Cloud, you need to take preventative steps. At an average breach cost per record of $141*, can you afford to not consider the addition of a cyber liability policy?
So, what is a Cyber Liability policy?
A Cyber Liability policy can provide a much-needed tactical and financial support defense for companies confronted with a cyber incident. On a basic level, the cyber policy’s first-party coverage applies to costs incurred by the insured when responding to a covered cyber event, while third-party coverage responds to claims and demands against the insured arising from a covered incident.
First-party coverage can be triggered by a variety of events, including the malicious destruction of data, accidental damage to data, IT system failure, cyber extortion, viruses and malware. For the most part first-party coverages include legal and forensic services to determine whether a breach occurred and, if so, to assist with regulatory compliance, costs to notify affected employees and/or third parties, network and business interruption costs, damage to digital data, repair of the insured’s reputation and payment of ransom costs.
Third-party coverage can be implicated in a variety of ways, including by claims for breach of privacy, misuse of personal data, defamation/slander or the transmission of malicious content. Coverage is available for legal defense costs, settlements or damages the insured must pay after a breach, electronic media liability, including infringement of copyright, domain name and trade names on an internet site, regulatory fines and penalties.
A good Cyber Liability policy typically provides for the retention of an attorney. These attorneys are also referred to as a breach coach, as they help coordinate the insured’s response to a cyber incident. An experienced coach can build an effective team of specialists and efficiently guide the company through the forensic, regulatory, public relations and the lovely legal issues that arise from a security incident. To me, this is almost paramount. Coverage for the retention of a skilled breach coach could be the greatest benefit of a cyber liability policy. Think about it. Given the complexities of the various federal and state laws pertaining to data breach notification, the increasing demands of regulators and the scrutiny of the media and the class action bar, an expert couch would be a welcomed addition at the time of an incident.
How do you obtain a Cyber Liability Policy?
It’s easy. We can help you. We’d welcome the opportunity to support your risk management plans with our full service brokerage solution and explore what you have in mind. There isn’t a standard application for a cyber liability policy and the applications for the most part are very short and not very time intensive. A lot of carrier’s will ask for similar types of information, including the customary financial data about the company, such as assets and revenues, the number of employees, and any planned M&A activity. They will also ask for and/or assess:
- The volume and types of data (i.e., credit card data, banking records, protected health information) handled or maintained by the company
- If there is an existence of a written, attorney-approved and updated policies and procedures concerning the handling of information
- If you are compliant with security standards and regulations, and how often the frequency of assessments are performed
- What are the existing network security programs, including the use of firewalls, antivirus software and network intrusion testing
- If you have a chief information officer or chief technology officer
- Any history of security incidents and breaches, including how long it took to detect any prior breach
- Any prior threats to disable the company’s network or website
- Any awareness of any facts or circumstances that reasonably could give rise to a claim under a prospective cyber policy
- Has there been a prior cancelation of or refusal to renew a cyber liability policy
- What is the companies security budget (is it part of the IT budget and, if so, what percentage?)
- What are the practices concerning data encryption, passwords, patching and system access control
- Describe the employee hiring and training practices and procedures around termination
- What kind of physical security controls (e.g., access cards) are in place
- If you perform audits of third-party service providers
- If vendor contracts and policies reviewed and how many you have
- What are the policies governing mobile devices and social media
- What are your data backup procedures and how often they are performed
Special care and attention should be taken to accurately completing the application, which will become part of the policy if one is issued. It becomes the warranty for the carrier to extend coverage. Applications may require the signature of the company’s president, CEO, and/or CIO, who must attest to the accuracy of the company’s responses. Inaccurate information provided in the application may jeopardize coverage if a claim is later tendered under the policy. Be sure, to provide correct info.
Be mindful when choosing the right Cyber Liability policy.
Unlike more traditional forms of insurance policies, there’s currently no standardized policy form for cyber liability, and policies often contain “Manu-scripted” provisions agreed to by the carrier and the insured during the negotiation of the policy. Policy terms, including grants of coverage, exclusions and conditions, vary among the 60 or so carriers that currently issue cyber liability policies, and numerous coverage options are offered by these carriers. Given this new reality of cyber liability, companies need to ensure that the cyber liability policy they purchase is appropriate for their specific risk profile. For example, if a company entrusts its data to third parties, it will want coverage for third party risks. If it maintains an active social media presence, it will want media liability coverage. And as more regulations are enacted around cyber security and data-handling practices, coverage for regulatory fines is an obviously increasing importance for many entities.
When you are negotiating the purchase of a cyber policy, the following points, among others, should be considered:
- What are the company’s specific cyber risks?
- Are policy limits and sub-limits adequate for existing needs?
- Is there retroactive coverage for prior unknown breaches?
- Is there coverage for claims resulting from vendors’ errors?
- Is “loss” of data covered or just data “theft?”
- Can cyber liability be combined with vendor indemnities to maximize protection?
- Does the policy cover data in the possession of cloud providers and other third parties?
- Will the carrier offer a subrogation waiver?
- How does the cyber policy fit within the company’s overall insurance program?
In addition to the coverages provided by a cyber liability policy after a cyber event, some cyber carrier’s offer free or discounted loss control benefits, including information governance tools, information management counseling, employee training, risk assessments, and review of the insured’s vendor contracts.
Care should be taken to ensure that the policy adequately addresses the company’s cyber risks and appropriately dovetails with the other coverages in the insured’s comprehensive insurance program. Keep in mind that with cyber liability, the insuring agreements don’t really matter, as they basically say the same thing. What does really matter are the definitions. As an example here, one carrier’s policy may define “Computer Virus” as a Trojan horse and malicious code, whereby another may very well define it as just Trojan horse. That’s a big difference. Definitions impact coverage. Pay attention to the definitions and get your IT team involved in better understanding the definitions should your understanding fall short here.
We can help. It’s easy, pain free and at the end of it, you walk away better protected for very little out of pocket.