At Secure Halo, we are proud to have partnered with leading insurance brokers and global underwriting markets to provide pre-and post-binding cyber risk assessment for insurance programs across key industries. Insurers are placing increased emphasis on a holistic assessment performed by an independent third party, which reviews the maturity of cybersecurity practices, the role of internal and external business operations, and ability to recover and return to regular operations following a cyber attack. All of this information helps insurers craft a fair and accurate policy.
While Secure Halo is an enterprise cyber risk consultancy and not an insurance company, our three-year partnership with global insurance supporting the Critical Asset Protection facility has forced us to quickly absorb the often tricky world of insurance and how buyers can counterweight their exposure through insurance channels.
According to the Allianz Risk Barometer, which surveyed over 800 risk managers and insurance experts in more than 40 countries, cyber incidents are the most important long-term risk for companies in the next 10 years. While the fields of healthcare, financial, retail, and technology services have been early adopters of cyber insurance, demand from most other verticals is expanding as well. This will continue as corporate boards across industry continue to mandate protection and insist coverage be tailored to their unique liability exposure and individual threat landscapes.
Pitfalls of Cyber Insurance Difficult to Recognize
Unfortunately for potential insureds, while cyber insurance products and services abound, there is almost zero homogeny in terms of individual coverage, contract language, and the meaning of key definitions. As costs associated with cyber attacks and breaches continue to reach new heights, insurers might naturally attempt to limit their exposure through exclusions, clauses, and other limitations. As a result, potential insureds in the market for cyber insurance are advised to sit down and talk with their broker to better understand some of the below considerations.
1. Understand Your Unique Risk Before determining the amount of coverage to purchase, as well as what particular policy you might need, it is imperative to at least be knowledgeable of current strengths and weaknesses of those security controls already deployed across your holistic enterprise. What are you currently doing to prevent, detect, correct, and recover from a cyber event?
Depending on your industry, what is the likelihood of your company and industry being in the crosshairs of the adversary? Secure Halo uses a “5 C’s of Cyber” model to explain the target profiles within which organizations could fall. They include being targets of: convenience, circumstance, consequence, conflict, and conscience. Hackers and cyber criminals have a variety of motives for engaging in malicious cyber attacks. Understanding these motives can help you identify and mitigate the risks to your organization.
Furthermore, in the event of an attack, what digital assets are at risk? Corporate intellectual property? Customer payment card data? Patient protected health information? Using historical examples of victimized companies in your peer group, what was their estimated cost to contain the incident? How much did their post-incident forensic investigation cost? What were their costs associated with legal and public relations? How about credit monitoring, notification, and call service support to customers? And lastly, what were the regulatory costs, including both federal and state?
2. Not All Policies Created Equal Because of the lack of uniformity of cyber insurance policies, it is critical to read them in their entirety and pose many questions to your broker regarding inclusions. Does the policy cover exactly what your C-suite and Board needs it to?
3. Indemnity Through Vendors? It is important to understand how policies will cover contingent risks from use of vendors or third-party service providers, which can obviously result in huge exposure. Think Target, which was breached through an HVAC provider. Significant problems can arise if you don’t understand how a policy will respond to a cyber event that doesn’t happen directly to your organization yet still results in business interruption to your enterprise. Don’t assume that losses will automatically be covered.
4. Any Policy Sublimits? Deductibles? It is certainly the case that some types of coverage might subject you to sublimits or substantial deductibles. So while you might think you have adequate coverage, you may be responsible for significant deductibles before coverage is activated. Additionally, according to Mary Guzman, Senior Vice President of Cyber Sales and Strategy at McGriff, Seibels & Williams, a lot of policy forms tend to have sublimits in them, especially around breach notification expenses. “When you have an information security breach that involves PII or PHI, a lot of those policies have limitations on how much the client can spend on forensics, monitoring or credit monitoring. So you want to make sure you don’t have sublimits or that you understand exactly how they’re going to work.”
5. Arbitration Does the policy contain mandatory arbitration clauses in the event of a dispute with the carrier? If yes, in what jurisdiction will arbitration be held and who would assume the cost?
6. First-Party Loss and Third-Party Damage Claims? This is a crucial factor. Data breaches obviously can devastate and will result in losses and claims. Take the time to methodically examine the language contained in the policy in order to evaluate the insurer’s coverage of both first-party loss (your costs of responding to a breach) and third-party issues (regulatory responses and investigations, fines and penalties, et al). Consider utilizing outside counsel to review policy forms for a full understanding of coverage.
7. Where Does Cyber Insurance Fit Among Other Coverage? Look into the other insurance you carry, such as policies that cover business interruption, directors and officers (D&O), and errors and omissions (E&O). Is cyber covered or excluded under these policies? Determine how they can be complemented by cyber insurance.
8. Cyber Insurance Limitations While cyber insurance can obviously help in the transference of risk, there are some things it will not cover. Some policies for instance, will not provide indemnification for damages such as loss of reputation, which could result in lost revenue.
Cyber insurance on a large scale is relatively new and standardization has been slow to materialize. Therefore, it is imperative to be as prepared as possible before making a decision as consequential as the purchase of cyber insurance.
Please reach out to Secure Halo or our partners at McGriff, Seibels & Williams Inc. to learn more about how we have worked together to provide cyber risk assessments for insurance programs.