With analysts projecting the cyber insurance market to heat up in the coming year, it's clear there are a lot of organizations on the hunt for a good policy. With cyber insurance still very much in its earliest stages, there's very little consistency in policy coverage and language. Which means that due diligence is crucial, lest organizations find themselves financially holding the bag after a breach in spite of paying premiums for coverage they thought would help.
Here are some of the most important things to look out for as you start the process of vetting policies:
Know the difference between liability and risk policies.
As you start evaluating policies, understand that there are generally two kinds of cyber insurance policies, says Steve Durbin, managing director of the Information Security Forum. There's cyber liability insurance and there's cyber risk insurance.
"Cyber liability insurance provides coverage for liabilities that an organization causes to its customers or to others--insurers call this third-party risk," Durbin says. "Cyber risk insurance is used to cover direct losses to the organization, often known as ﬁrst-party risk."
Durbin says that cyber risk insurance is less prevalent because these types of policies are more difficult to underwrite due to a lack of actuarial history. They're also less likely to be sought out because of mistaken beliefs, he says.
"Many organizations assume, perhaps incorrectly, that their corporate insurance or general liability policies will cover cyber risk," he says.
Carefully consider cyber insurance policy in context of other policies.
This misapprehension is why it helps to start first with existing insurance policies and look for gaps with regard to cyber risks.
"An enterprise first needs to understand how cyber insurance fits into its broader portfolio of insurance policies, such as errors and omissions, general liability, and directors and officers," says Andrew Braunberg, research vice president of NSS Labs. "Knowing what’s already covered in these policies, where holes exist, and how cyber insurance could fill some of those holes is a good start."
When building what insurance lingo calls an insurance "tower," it is also important for an organization's lawyers to comb through all the policies in totality to make sure that layered policies work properly together.
"In building large insurance towers, it is very important that the excess policies are true 'follow form' policies that will drop down over all of the coverage grants of the underlying policy," says Steve Bridges, senior vice president of the brokerage JLT Specialty USA's Cyber/Errors and Omissions team. "In a large loss scenario, having one carrier on a program refuse to pay their limit will cause huge problems up the tower."
Examine limits carefully--especially sublimits.
Financial coverage limits are one of the fundamental elements by which an organization should be judging its cyber insurance policies. First of all, it is essential that the organization have as good of an estimate as possible as to the amount of financial risk it needs to offset with a policy.
"Because the frameworks used for cyber risk management are still immature and evolving, we find that the financial sector’s Value at Risk [VaR] framework can be very useful in determining the amount of cyber coverage an enterprise should be considering," says Jim Jaeger, chief cyber services strategist for Fidelis Security.
Jaeger warns that organizations consider their organization’s risk relative to average breach numbers. With the Ponemon Cost of Data Breach statistics pegging the average breach cost at $3.8 million, some businesses may find many $1 million to $5 million policies inadequate.
"Based on the type of business, loss of large amounts of PII/PHI could run through a $5 million policy before you get to regulatory or any liability judgments," he says.
Even more important is the issue of sub-limits placed on specific categories of coverage within a policy.
"There is not a standard cyber insurance form," Jaeger says. "Policies have sub limits that will limit your forensic spend to a certain amount," for example.
If language exists to limit forensic spend drastically, the organization will still have to pay out-of-pocket for anything beyond the sub-limit even if the overall limit has not been exceeded.
Watch out for exclusions.
Similarly, understanding the language around exclusions is crucial to ensuring that a cyber insurance policy is worth the premium.
"Understand the insuring agreements to be sure you have the coverage you are looking for and then check the scope of the exclusions. Exclusions for minimum security standards can kill all best efforts," says Brian Branner, executive director of strategic alliances for RiskAnalytics.
Establishing clarity about vague standards for those types of exclusions is also important.
"Have counsel review for broadly worded exclusions such as 'breach of contract'--a data breach is just that and the reason you are buying the policy," Jaeger says.
In the same vein, if there are exclusions for security standards not being met, it is important to get in writing specifically what minimum standards in order to avoid heartache in the future. This may require more discipline on the risk management and visibility front for an organization, both in the evaluation stage and when proving standards have been met.
"Enterprises should also understand that the more risk they transfer to an insurance carrier the more visibility into that risk they must provide," Braunberg says says. "This can require a fairly intensive evaluation of security practices and potential vulnerabilities."
Retroactive dates are important.
As an organization negotiates its policy, it should fight to get retroactive coverage as far back as possible, says Jaegar, given the low-and-slow attack tactics of criminals these days.
"The breach may have started a year or more ago and you don’t know it. This date will protect you if the forensics determine you were breached prior to purchasing the policy," he says, explaining that it is common to find breaches that started over a year after the initial forensics investigation. "In these breaches, the attackers are often deeply embedded in the network, which dramatically raised the cost to investigate and contain the breach, as well as the damage done by the attackers."
Look for services benefits.
When vetting insurance providers against one another, things like premiums, limits, and exclusions will all be of utmost priority. But don't forget to consider other benefits on the table such as included security services or those offered at a discount to policy holders.
"A few of the insurers have recognized that they can reduce their own risk by enhancing the cybersecurity of the firms they are insuring," Jaeger says. "As a result, these firms are now providing security education and proactive services to their insurance clients. Other insurance firms provide vetted lists of cybersecurity firms to their clients for both proactive security projects and incident response services."
In the latter case, though, be sure that if it is important for you that you can still hire your own folks during an incident.
"Make sure you can hire your attorney or forensic partner in the policy versus being limited to use of firms identified by the insurer," he says.
Get a great broker.
Time and time again, the experts who weighed in on best practices for procuring cyber insurance hammered on the importance of an experience and specialized broker in guiding the process.
"It is every insurance carrier’s job to limit coverage and charge a healthy premium. It is the broker’s job to get the lowest cost while expanding and customizing policy wordings/coverage specific to each insured," says Branner. "If your broker lacks in-depth expertise in this subject area, which is common outside of the top ten brokers, then you may just end up with a policy that will disappoint you in time of a claim."