As more organizations start considering cyber insurance as one component of a fully fleshed-out IT security operations and risk management strategy, increasing numbers of IT executives and security leaders will be called upon to evaluate these policies. While the cyber insurance market has matured considerably over the last few years, this process can be daunting for the uninitiated.
"Policyholders need to critically review all language in their cyber policies," says Selena Linde, a partner with Perkins Coie LLP who practices insurance law. "With no standard ISO form, cyber policies are still the Wild West of insurance policies, and the language offered by the 50-plus carriers in this space changes monthly."
Dark Reading recently caught up with Linde and Jake Kouns of Risk Based Security, a firm that tracks breach and vulnerability information to sell to insurance underwriters. They both offered up salient points that many IT staffers likely have never considered about cyber policies -- both the benefits and the "gotchas" that might not always be apparent on first review.
Cyber insurance policies aren't magic
Kouns explains that, like any kind of insurance, cyber policies have the potential to include exclusions, narrow definitions, and other limits. The more of these limits, the less expensive the policy. They're simply a way to keep costs in check.
"This is common insurance stuff that has been going on for a long time," Kouns notes about the type of language that restricts coverage in various ways. Just because a potential policy has that language doesn't necessarily make it bad. What's bad is when an organization considers itself covered by insurance for a breach without understanding the limits of the policy.
"There are some policies out there that are not high quality, and then there are those that are really great options for transferring risk," Kouns says. "So you just need to understand what kind of data your company has and what sort of limits it might need to limit cost."
This is where an experienced broker can help
"Companies have been buying property insurance, workman's comp, and all of these other policies forever, and they have a broker or agent they buy them through. These brokers and agents are experts at picking the right policy, so use that expertise."
You're going to need to think more seriously about retroactive dates
As organizations dive into the language of their policies, one of the essential elements to consider is the retroactive date for a policy. Increasingly sneaky attacks are being found on corporate networks, which have been there for months or even years.
"Since experts have found that when a breach is discovered the hacker has usually had access to the system for more than 400 days, so negotiating early retroactive dates is critical," Linde says.
Terrorism/act of foreign enemy exclusions could sink you
In a car insurance or homeowner policy, an exclusion for acts of terror or foreign enemies may not be that big of a deal. But for cyber risk policies, these exclusions could be a real problem.
"With the majority of cyber attacks originating overseas and many of those believed to be state sponsored, how these exclusions are worded are critical to the value of the coverage," Linde says. "Companies need to negotiate the removal of these exclusions or carve-outs to these exclusions to ensure the coverage they purchase will indeed cover cyber attacks from outside the United States."
You're buying more than a claims payout
Insurance carriers don't make money by paying out claims.
"And if a claim comes in, it's in their best interest to get it closed as cheaply as possible," says Kouns.
Which is why organizations tend to get a lot more value from cyber insurance than the potential of a paid claim. Insurance companies will have on-staff and outsourced resources such as lawyers to help fight class-action lawsuits, security people to help advise about protections before breaches and incident response after breaches, and credit monitoring services to help consumers after a breach.
"As a part of your policy you get access to those capabilities to help you respond and recover," he says.
Even a minimal policy buys you a valuable partner
Often organizations will consider cyber liability policies an all-or-nothing affair. They'll want all the exclusions lifted from a policy but balk at the resulting price and ultimately choose not to buy anything at all. But given the resources insurance companies bring to the table, there may be room in the gray area for benefit.
"At the end of the day, just getting a lower amount of insurance will get you started and will get you access to all of those resources. So if you only have $1 million in coverage and your breach is $1.7 million, you're going to be on the hook for that extra money -- but guess what?" Kouns says. "You're going to get the negotiated rate from these different vendors instead of getting gouged by the security people who say, 'Oh, you're in a bad spot? OK, that'll be $500 an hour and I'll be camped out for five months.' "
Who you talk to after a breach could affect your claim
Because cyber insurance is such a new field, claims against such policies tend to have a higher rate of litigation attached to them than other more established insurance products. These legal struggles really depend on how language and intent is interpreted by the courts. This means that organizations must be very careful about whom they talk to and what they say early on in the process.
"What a policyholder says and to whom and how it is said may make the difference between a covered and an uncovered claim," says Linde. "Policyholders should be careful in the initial stages when characterizing their claims or discussing coverage with their insurance companies, their brokers, or any outside consultants."
In particular, policyholders have to be careful about discussing coverage issues with their brokers -- especially in email or IM.
"In many jurisdictions, communications with a broker are not subject to any privilege, and any unprotected communications may be discoverable if a coverage dispute ultimately arises," Linde warns.
Delaying notice is a potential claims killer
Once a breach is detected, don't wait too long to notify your insurer of the issue. How long you have will vary by policy, but some of them want to know as soon as 24 hours from public disclosure.
"Generally, however, notice must be provided between 30 and 90 days after the discovery of a breach," Linde says. "Failure to abide by the policies’ specific notice provisions may bar coverage in some jurisdictions, especially for claims-made policies."
Insurance companies are starting to reword policies to only cover "theft"
According to Linde, many policies are starting to include revised language that makes them only cover losses from theft of data. That could be dangerous for companies that suffer a data exposure from negligence such as an employee losing a laptop with sensitive data.
"Since negligence still accounts for close to one-third of cyber breaches, companies need to ensure they are covered regardless of how the data ultimately ended up in the wrong hands," she says.
Contractual liability exclusions might void your policy without action
"Insurance carriers often try to avoid coverage by arguing that contractual relationships with vendors, credit card companies, and banks act to void the purchased insurance in an event of a breach," Linde warns.
As companies evaluate their policies, they should keep an eye out for these kinds of exclusions. If they can't get them removed, they should "at a minimum carve them back," she recommends.
It's less expensive than you think
Given the prevalence and the costs associated with data breaches, cyber liability insurance is still "unbelievably" low, according to Kouns.
"Risk transfer is a legit option -- it works and it works really well a lot of times, and you get a lot services-wise, along with financial recovery, for the price," he says, explaining that even if it seems steep at first, there may be a way to craft policies with lower limits that make sense, depending on the organization. "You can right-size your policy."