Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


06:00 PM
Connect Directly

Quick Guide To Cyber Insurance Shopping

Experts offer their opinions on important due diligence tasks when procuring cyber insurance.

With analysts projecting the cyber insurance market to heat up in the coming year, it's clear there are a lot of organizations on the hunt for a good policy. With cyber insurance still very much in its earliest stages, there's very little consistency in policy coverage and language. Which means that due diligence is crucial, lest organizations find themselves financially holding the bag after a breach in spite of paying premiums for coverage they thought would help.

Here are some of the most important things to look out for as you start the process of vetting policies:


Know the difference between liability and risk policies.

As you start evaluating policies, understand that there are generally two kinds of cyber insurance policies, says Steve Durbin, managing director of the Information Security Forum. There's cyber liability insurance and there's cyber risk insurance.

"Cyber liability insurance provides coverage for liabilities that an organization causes to its customers or to others--insurers call this third-party risk," Durbin says. "Cyber risk insurance is used to cover direct losses to the organization, often known as first-party risk."

Durbin says that cyber risk insurance is less prevalent because these types of policies are more difficult to underwrite due to a lack of actuarial history. They're also less likely to be sought out because of mistaken beliefs, he says.

"Many organizations assume, perhaps incorrectly, that their corporate insurance or general liability policies will cover cyber risk," he says.


Carefully consider cyber insurance policy in context of other policies.

This misapprehension is why it helps to start first with existing insurance policies and look for gaps with regard to cyber risks.

"An enterprise first needs to understand how cyber insurance fits into its broader portfolio of insurance policies, such as errors and omissions, general liability, and directors and officers," says Andrew Braunberg, research vice president of NSS Labs. "Knowing what’s already covered in these policies, where holes exist, and how cyber insurance could fill some of those holes is a good start."

When building what insurance lingo calls an insurance "tower," it is also important for an organization's lawyers to comb through all the policies in totality to make sure that layered policies work properly together.

"In building large insurance towers, it is very important that the excess policies are true 'follow form' policies that will drop down over all of the coverage grants of the underlying policy," says Steve Bridges, senior vice president of the brokerage JLT Specialty USA's Cyber/Errors and Omissions team. "In a large loss scenario, having one carrier on a program refuse to pay their limit will cause huge problems up the tower."


Examine limits carefully--especially sublimits.

Financial coverage limits are one of the fundamental elements by which an organization should be judging its cyber insurance policies. First of all, it is essential that the organization have as good of an estimate as possible as to the amount of financial risk it needs to offset with a policy. 

"Because the frameworks used for cyber risk management are still immature and evolving, we find that the financial sector’s Value at Risk [VaR] framework can be very useful in determining the amount of cyber coverage an enterprise should be considering," says Jim Jaeger, chief cyber services strategist for Fidelis Security.

Jaeger warns that organizations consider their organization’s risk relative to average breach numbers. With the Ponemon Cost of Data Breach statistics pegging the average breach cost at $3.8 million, some businesses may find many $1 million to $5 million policies inadequate. 

"Based on the type of business, loss of large amounts of PII/PHI could run through a $5 million policy before you get to regulatory or any liability judgments," he says.

Even more important is the issue of sub-limits placed on specific categories of coverage within a policy.

"There is not a standard cyber insurance form," Jaeger says. "Policies have sub limits that will limit your forensic spend to a certain amount," for example.

If language exists to limit forensic spend drastically, the organization will still have to pay out-of-pocket for anything beyond the sub-limit even if the overall limit has not been exceeded.


Watch out for exclusions.

Similarly, understanding the language around exclusions is crucial to ensuring that a cyber insurance policy is worth the premium.

"Understand the insuring agreements to be sure you have the coverage you are looking for and then check the scope of the exclusions. Exclusions for minimum security standards can kill all best efforts," says Brian Branner, executive director of strategic alliances for RiskAnalytics.

Establishing clarity about vague standards for those types of exclusions is also important.

"Have counsel review for broadly worded exclusions such as 'breach of contract'--a data breach is just that and the reason you are buying the policy," Jaeger says.

In the same vein, if there are exclusions for security standards not being met, it is important to get in writing specifically what minimum standards in order to avoid heartache in the future. This may require more discipline on the risk management and visibility front for an organization, both in the evaluation stage and when proving standards have been met.

"Enterprises should also understand that the more risk they transfer to an insurance carrier the more visibility into that risk they must provide," Braunberg says says. "This can require a fairly intensive evaluation of security practices and potential vulnerabilities." 


Retroactive dates are important.

As an organization negotiates its policy, it should fight to get retroactive coverage as far back as possible, says Jaegar, given the low-and-slow attack tactics of criminals these days.

"The breach may have started a year or more ago and you don’t know it. This date will protect you if the forensics determine you were breached prior to purchasing the policy," he says, explaining that it is common to find breaches that started over a year after the initial forensics investigation.  "In these breaches, the attackers are often deeply embedded in the network, which dramatically raised the cost to investigate and contain the breach, as well as the damage done by the attackers."


Look for services benefits.

When vetting insurance providers against one another, things like premiums, limits, and exclusions will all be of utmost priority. But don't forget to consider other benefits on the table such as included security services or those offered at a discount to policy holders.

"A few of the insurers have recognized that they can reduce their own risk by enhancing the cybersecurity of the firms they are insuring," Jaeger says. "As a result, these firms are now providing security education and proactive services to their insurance clients. Other insurance firms provide vetted lists of cybersecurity firms to their clients for both proactive security projects and incident response services." 

In the latter case, though, be sure that if it is important for you that you can still hire your own folks during an incident.

"Make sure you can hire your attorney or forensic partner in the policy versus being limited to use of firms identified by the insurer," he says.


Get a great broker.

Time and time again, the experts who weighed in on best practices for procuring cyber insurance hammered on the importance of an experience and specialized broker in guiding the process.

"It is every insurance carrier’s job to limit coverage and charge a healthy premium. It is the broker’s job to get the lowest cost while expanding and customizing policy wordings/coverage specific to each insured," says Branner. "If your broker lacks in-depth expertise in this subject area, which is common outside of the top ten brokers, then you may just end up with a policy that will disappoint you in time of a claim."

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
2/16/2016 | 6:50:16 AM
Great Post
great post i really appreciate your post
Mobile Banking Malware Up 50% in First Half of 2019
Kelly Sheridan, Staff Editor, Dark Reading,  1/17/2020
Exploits Released for As-Yet Unpatched Critical Citrix Flaw
Jai Vijayan, Contributing Writer,  1/13/2020
Microsoft to Officially End Support for Windows 7, Server 2008
Kelly Sheridan, Staff Editor, Dark Reading,  1/13/2020
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
[Just Released] How Enterprises are Attacking the Cybersecurity Problem
[Just Released] How Enterprises are Attacking the Cybersecurity Problem
Organizations have invested in a sweeping array of security technologies to address challenges associated with the growing number of cybersecurity attacks. However, the complexity involved in managing these technologies is emerging as a major problem. Read this report to find out what your peers biggest security challenges are and the technologies they are using to address them.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-01-18
Westermo MRD-315 1.7.3 and 1.7.4 devices have an information disclosure vulnerability that allows an authenticated remote attacker to retrieve the source code of different functions of the web application via requests that lack certain mandatory parameters. This affects ifaces-diag.asp, system.asp, ...
PUBLISHED: 2020-01-18
A memory usage vulnerability exists in Trend Micro Password Manager 3.8 that could allow an attacker with access and permissions to the victim's memory processes to extract sensitive information.
PUBLISHED: 2020-01-18
A RootCA vulnerability found in Trend Micro Password Manager for Windows and macOS exists where the localhost.key of RootCA.crt might be improperly accessed by an unauthorized party and could be used to create malicious self-signed SSL certificates, allowing an attacker to misdirect a user to phishi...
PUBLISHED: 2020-01-18
An arbitrary code execution vulnerability exists in the Trend Micro Security 2019 (v15) consumer family of products which could allow an attacker to gain elevated privileges and tamper with protected services by disabling or otherwise preventing them to start. An attacker must already have administr...
PUBLISHED: 2020-01-18
A Persistent Arbitrary Code Execution vulnerability exists in the Trend Micro Security 2020 (v160 and 2019 (v15) consumer familiy of products which could potentially allow an attacker the ability to create a malicious program to escalate privileges and attain persistence on a vulnerable system.