13 Important Considerations When Obtaining Cyber Liability Insurance
(I co-wrote this article with Mark Lynd, CISSP, ISSAP & ISSMP, Head of Digital Business at NETSYNC.)
While leveraging cyber-liability insurance has become an essential component of cyber-risk mitigation strategy, cyber-liability offerings are still relatively new, and, as a result, many parties seeking to obtain coverage are still unaware of many important factors requiring consideration when selecting a policy.
Confusion regarding cyber-liability insurance also arises from the fact that there is presently no standard set by any overseeing government authority in the United States vis-à-vis specific provisions, coverages, limits, or language that should be included in a base template for insurance companies that underwrite cyber-liability insurance policies.
Businesses, therefore, often find it difficult to truly understand the full scope of the coverage that they have offered or obtained, or a clear explanation of all of the triggers, riders, and exclusions that apply to their respective policies. Likewise, the complexity of cybersecurity and of evaluating related risks has also translated into many insurance companies seeking to insure only large enterprises – the cost of doing business with small and medium sized business is simply not worth their time.
Selecting the right insurance provider is often, therefore, a challenging endeavor; the lack of standard policy templates has meant that providers typically offer their own unique sets of coverages, with their own unique sets of compliance requirements and premium schedules.
As the cyber-liability insurance market evolves and matures, however, simplification and standardization seem to be on the way. Some young firms (including the recently launched, iBynd, for which I [Joseph] am presently serving as an Advisor) have sought to create simplified, standard policies geared towards smaller and medium-sized businesses – allowing the parties who most need cyber-liability insurance to obtain it without suffering through complex audits and mounds of paperwork. Likewise, cyber insurance policies for individuals are starting to appear in the marketplace.
When seeking cyber-liability insurance, business leaders (and individuals seeking coverage for themselves and their loved ones) should consult with their attorneys to ensure that they secure appropriate and adequate coverage, as well as with their information-systems professionals to ensure that the insured entity complies with all requirements of the policy issuer. Remember, a cyber-insurance policy is a legal contract – it is absolutely essential that policyholders adhere to policy requirements or they may find their otherwise valid claims denied should a cybersecurity incident occur. Note that — especially if you are seeking a customized, complex policy rather than a standard offering – policy requirements are often negotiable, as are coverages.
So what are some things that you should keep in mind when seeking to find a policy. Here are 13 suggestions:
• Be meticulous when completing any insurance application, and provide the requested information as carefully and as accurately as possible; inaccurate or false answers on a cyber-liability insurance application can seriously jeopardize your coverage. In many cases, even if a policy is issued, if you provided false information on the application, the policy can be retroactively cancelled after a claim is made, and your claims, therefore, can be rejected and remain unpaid.
• Understand that most cyber insurance policies mandate that insured parties practice some degree of appropriate cyber-hygiene throughout the period of coverage, and that claims can be denied for failure to comply with such requirements. Make sure that you fully deliver on your promises made as part of the arrangement.
• Understand if a policy that you are considering covers only first-person cyber-liabilities, or if it also covers third-party cyber-liabilities. If it does cover the latter, make sure that you understand what is covered and to what extent. Most policies have significant caps and exclusions in this regard. If you do not understand the difference between first-party liabilities and third-party liabilities, please read the article Cyber-Liability Insurance 101: First Party Vs. Third Party Risks.
• Virtually all cyber-liability policies are issued on a claims-made basis, meaning that the date of a particular loss is set to be the date that the respective claim is made. As such, ransomware, data breaches, and other cybersecurity problems discovered after a policy expires, but which actually occurred prior to coverage expiring, are typically NOT covered. Be especially wary of claims-made-basis terms whenever you change insurance providers. Also, note that just because the date of loss is set as the date of the claim does not mean that “pre-existing conditions” will be covered – claims made based on cybersecurity incidents that commenced prior to the coverage start date are sometimes explicitly excluded, and/or may be denied on the grounds of inaccurate information having been provided to the insurer during the insurance application process.
• Be sure and understand any and all policy limits and exclusions, as most cyber-liability insurance policies have both.
• Be aware that even if a ransomware payment is covered by an insurance company there is still a chance that if the insurance company pays the ransom, that you – the insured – may be hit with penalties associated with governance, compliance, and/or disclosure laws. For example, if paying a ransom involves transferring money to a party under US sanctions, you could potentially be charged with a crime if you make a claim and instruct the insurance company to pay – even if the insurance company covers the cost. (The insurance company may also be in hot water in such a case.) Likewise, an insurance company could potentially refuse to pay a ransomware ransom if the party demanding the ransom is under sanctions – even if your policy requires that the insurer cover the payment.
• Much as it may seem strange in the realm of cybersecurity and cyber-liabilities, insurance policies often limit coverage to specific geographical areas (e.g., the United States, Spain, Israel, the EU, etc.) Be sure that you have adequate coverage in all regions in which you require it.
• Most modern cyber-liability policies have explicit instructions that insured parties must follow when making a claim. Those provisions typically include requirements as to when to report what and to whom to do so, and often spell out the exact steps that a claimant must take in order to make a claim. Failure to follow any such instructions can lead to an insurance company claiming that an insured party failed to comply with the policy’s notice condition – and can provide grounds for an insurer to potentially deny an otherwise valid claim.
• Many cyber-liability insurance policies require that the insured party obtain the insurer’s consent before spending money on a ransom demand, or in connection with responding to any other form of covered breach. Failure to obtain approval from the insurer can jeopardize the claim in whole or in part, and the insurance company may refuse to reimburse the insured for expenses that otherwise would have been covered by insurance.
• Many insurers require that insured parties utilize specific types of professional resources – or even specific resources – to perform various activities in the event of a claim. An insurance company may mandate, for example, that an insured hire parties from an approved list of security consultants, security firms, attorneys, cyber-forensic specialists, and public relations / crisis communications firms. Be sure that you understand these requirements – and that you adhere to them in case of a claim. Note that using such resources can be of benefit to you – in many cases, preferred suppliers of such services are either on retainer with the insurance company and contracted by the insurance company to be available on short notice in order to help minimize the damage from a cyber attack, or have negotiated preferred rates with the insurer both for covered work for which the insurance company will pay, as well as for uncovered work for which you may on the hook.
• It is important to ascertain what types of sensitive information you possess, and how much of it exists in your possession – you need to know, for example, how much Personally Identifiable Information (PII), Financial data, Healthcare data subject to HIPAA, etc. you have in order to determine your potential liability.
• Check if your policy explicitly lays out information regarding the final disposal of any compromised data. If you suffer a ransomware attack, for example, and the hacker returns your data and/or keys to it through one of the insurance company’s resources, will the insurance company destroy all copies of your data after passing it along to you? Even it will eliminate all of its copies – will it do so by properly wiping and/or destroying the media on which the data presently resides?
• Cyber coverages continue to evolve with the threats, so it is important to inquire about the coverages that cover the appropriate risks.