Question: What legal language should I look out for when selecting cyber insurance?
Andrea Luoni, CEO and founder of RateCraft: This is a great question because a higher premium does not always equal better protection when it comes to cybersecurity insurance. That's because money does not guarantee protection – language does. Many coverages can actually be added or increased by adapting the language with little to no change in premium.
Although it may not seem like it in the moment, vague coverage surrounding cybersecurity can be better in some cases, as it can give business insurance attorneys more room to find an opening for coverage in the case of a legal conflict with the carrier.
Conversely, if the language is very specific, be cautious of what it is or is not saying. For example, if the policy lists coverage for being hacked or a ransomware attack, these are good things to be included that could be of great concern to a business. However, that may mean other cybersecurity issues, such as social engineering, are not covered. The business may not even know to look for social engineering coverage or whether the carrier offers the coverage but under a different name.
Read the fine print, or exclusions, too. It could have a clause that voids coverage for "insider compromise" or that unknowingly requires social engineering coverage to have dual authentication implemented. A cyber policy should also have universal triggering definitions between first- and third-party coverages. Many policies can lack this, which can cause problems if claims are covered on one side of a policy and not the other.