These days, it seems that everyone has heard a cyber insurance horror story: a catastrophic cyber event followed by a swift denial of cyber insurance coverage. At a time when all companies are beginning to think in terms of cyber resilience, cyber insurance is an important part of any company's cyber preparedness. As outside counsel, I've spent significant time reviewing cyber policies. Below are my top tips to consider when looking at your cyber insurance coverage.
Tip 1. If you don't know whether you have cyber insurance, you likely do not have it.
Why? Because cybersecurity events are a common exclusion across general liability policies and require their own standalone policy. Worse, not all policies are created equal and the cyber insurance industry is like the Wild West: Because of its relative newness, policies are not standard. So, while your directors and officers policy (D&O) may look basically the same as the insurance company's down the street, that is likely not the same for cyber coverage. Thus, it is important to carefully review your cyber insurance options and not just lock in whatever an insurance broker is selling as premium coverage.
Tip 2. Read the actual policy, not just the summary of coverage.
Cyber insurance coverage can diverge drastically from insurance provider to insurance provider, so it is incredibly important to review the actual insurance policy. Some of you may be rolling your eyes at this basic suggestion but you'd be surprised how often I've seen a client provided with a summary of coverage without a copy of the actual underlying policy and think that may be all that they need. Why does this matter? Because inevitably there will be terms that govern the policy that are legally defined terms in the policy itself. So, if a dispute arises as to whether an event is covered in an insurance policy, a court is going to look at the four corners of the actual insurance policy and will not likely consider evidence of what you were told at the time you bought the policy. An insurance policy is a contract between you and the insurance company. And, just like a breach of contract action, if there is a dispute later, a court will look to the written agreement between the parties. Therefore, the time to read the policy is now — not during an event.
Often, I see a summary of coverage that lists a "social engineering exclusion." These social engineering exclusions can encompass phishing and sometimes even ransomware. But if you only have the summary of coverage without the related definitions, you won't know what may or may not be covered.
It's also important that your CISO, or someone in your organization with cybersecurity intelligence, reviews the cyber insurance policy, which typically incudes technical language and definitions. For example, I recently read a policy that only provided coverage for a claim made by someone for incidents that rose to the level of "technology wrongful act" and "privacy and security wrongful act." But when you read the policy, technology wrongful act covered only the hosting of data. The coverage for "privacy and security wrongful act" covered what the policy described as "the failure to prevent a breach that resulted in the inability of the user to gain access to a network, malicious deletion of data on the network, and transmission of malware to third parties." Notably missing from this definition was the concept of a financial loss related to social engineering, phishing, ransomware, or wire transfer fraud.
Tip 3. Exclusions can be brutal.
Cyber-risk translates into big dollar risk and insurance companies recognize this. Phishing and ransomware can both be common exclusions along with business email compromise events. Wire transfer fraud is often not covered. Because of this, it is important to look at your policy to determine what it really and truly covers. I once had a CEO ask if their policy only covered someone breaking in and stealing a server rack. Unfortunately, in that instance, the answer was "basically."
I have also started to see policies that contain a summary of coverage page that lists out a set sum for coverages (for instance, a chart that shows $5 million worth of first-party coverage to protect the company being insured). Then, hidden deep in the policy is the actual sublimits and exclusions. In one egregious review, the social engineering sublimit of $100,000 was buried on page 54 of a 66-page PDF. It also contained a $50,000 "retention" or, essentially, deductible, to be paid out of pocket by the company before coverage is triggered. If the client had only the summary coverage provided by the broker, they would have thought they had $5 million in cyber coverage because the exclusion was not listed front and center but was instead hidden deep in the PDF.
Knowing that exclusions exist as a common part of cyber insurance, it is important to ask your broker for several cyber insurance policies to compare at the time of binding coverage. Look at your business operations and determine what coverage you need. Is your organization a software company? Managed service provider? Brick and mortar with a lot of employees? A public utility or a financial institution? Hospital? Tailor your cyber insurance to your business and be aware that the typical broker may be fantastic at selling D&O coverage but is not a cyber insurance guru. No matter your industry or business model, having a cybersecurity lawyer help navigate the insurance coverage matrix and negotiate coverage.
4. Negotiate before, not after a breach
You can always try to negotiate better coverage. At minimum, ask for lower retentions and higher sublimits.
If you have a favorite forensic team, ask that members be included as your chosen provider in the event of a breach. Often, insurance companies provide "panel" counsel and "panel" forensics teams. I have seen fantastic firms listed as panel counsel in the marketing materials provided to a client. Then, when the breach hits, they are assigned counsel not from the elite Manhattan firm but from somewhere else.
You can also ask for your chosen team to be included when you "bind" coverage. As part of the insurance application process, make a specific request for the people you know and trust. Then, when the worst hits, you know you have your A team at your back versus a crew arriving from out of your market.