Cyber liability Q&A: Important questions for all policyholders
Despite ongoing efforts to thwart off the threat of cyber crime, businesses today continue to face ongoing challenges when it comes to mitigating their risks. The evolving challenges posed by major data breaches have left both insurers and policyholders in a constant state of flux as the marketplace aims to manage, and stay ahead of the issue. Below are several key questions and answers about cyber liability insurance and some best practices for dealing with cyber loss.
It seems like every week there’s news of another company facing cyber losses from a large data breach. How has the marketplace changed since the onset of these crises?
While the onset of these breaches has prompted many changes to occur, one of the most important for policyholders relates to first party expenses, such as Forensics, Notification, Public Relations and Credit Monitoring. Historically, many insurance carriers would sublimit the first party expense limits to cap their exposure. Now that more carriers have entered the Cyber insurance market and created competition, many have started offering full limits on first party coverages in order to stay competitive. I believe this is one of the most positive developments for policyholders because typically the largest payout on a Cyber claim is on the first party coverages, especially forensics.
What are insurance professionals doing to manage these ever-evolving risks?
The cyber insurance market has become very specialized, so it’s critical that brokers fully understand every cyber exposure that a company faces, and are able to negotiate the policies accordingly. This has become increasingly complex because coverage language and terminology tends to vary among different carriers. For example, one insurance carrier might offer Information Risk Liability; another offers Network Security Liability and the third offers Cyber Liability. In reality, all three of these carriers are talking about the same coverage, but particular nuances to each policy may differ.
In the event of a breach, how soon should a company notify their insurer? What are the basic and most important steps to follow in the immediate aftermath of a breach?
Insureds should notify the insurance carrier as soon as they believe a breach might have occurred. It is important to get the carrier involved early because many carriers will not cover first party expenses that haven’t been approved. An insured may incur thousands of dollars of forensics help without ever notifying the insured and typically those costs are hard to get covered if the carrier hasn’t approved them.
What types of questions/concerns should a company consider when looking to purchase cyber-liability insurance? How does an organization figure out which specific forms of coverage are needed?
In order to tailor policies to a specific organization’s needs, a company should look at whether or not it handles or owns any consumer Personal Indentifiable Information (PII) , such as credit card numbers or health information. Another important step in the process involves examining the number of unique records the company holds, and a thorough review of any contractual obligations to a third-party in the event of a breach. Brokers can help navigate companies through these steps and explain to policyholders what types of corresponding Cyber insurance coverages/forms are needed.
Suppose a company already has a General Liability or other traditional business policy (D&O, E&O, Crime, etc.). Do any of these coverages offer protection against cyber losses?
E&O policies can, and often do, include the Cyber Liability coverage. The remaining lines of insurance typically do not cover any type of Cyber related loss.
What kinds of exclusions should policyholders be aware of when securing coverage? Are there certain limits that apply?
All Cyber Liability policies typically contain similar exclusions, but it is the job of the broker to have any that might affect the insured’s business operations to be removed. The insured’s also need to be aware of any sub-limits on their coverage. These are typically seen on the 1st party expenses such as Forensics and Notification, but can also been found on Regulatory Fines & Penalties, PCI-DSS Assessments coverage and Business Interruption.
For more information on covering your company against the threat of cyber losses, contact a member of the WGA team.
About the Author
Michael Sullivan is a Client Executive in the Property & Casualty group at William Gallagher Associates. His responsibilities include negotiating and placing specialized insurance programs with a variety of clients in the Technology Life Science, Energy and Clean Technology industries.