As cyber-attacks continue to surge—a risk heightened by the coronavirus pandemic—the need for cyber-insurance is growing more urgent each day. But it’s critical for companies to first familiarize themselves with how to navigate the labyrinth of cyber-insurance products on the market so they are properly covered.
Variations of cyber-coverage have been around as early as the 1990s, arising with the “dot-com” era. At that time, policies generally covered legal claims resulting from data breaches. Since then, cyber-coverage has evolved dramatically, with each policy having its own dizzying array of terms and conditions, exclusions, and loopholes. Many large insurance providers now even offer standalone cyber-insurance, filling in the gaps of exclusions often found in general property insurance policies.
According to Hiscox’s 2020 Cyber Readiness Report, 58 percent of 5,569 cyber-security professionals surveyed said their organizations purchased an insurance policy—either as standalone or as an add-on to an existing policy—compared to 41 percent in 2019.
It’s all very confusing, to say the least. Even the Cybersecurity and Infrastructure Security Agency, which has touted the importance of cyber-insurance, acknowledged that “many companies forego available policies” due, in part, to “the perceived high cost of those policies” and “confusion about what they cover.” Only in the last 5-10 years have companies, large and small, really started to get on the cyber-insurance bandwagon as cyber-attacks increase.
“As recently as three years ago, it was a struggle to get the C-suite behind general liability insurance,” says Meghan Hannes, vice president and cyber-product head at insurance provider Hiscox. “Now, cyber-coverage is becoming far more mainstream.” According to Hiscox’s 2020 Cyber Readiness Report, 58 percent of 5,569 cyber-security professionals surveyed said their organizations purchased an insurance policy—either standalone or as an add-on to an existing policy—compared to 41 percent in 2019.
Types of cyber-insurance
While many nuances of cyber-insurance do exist, coverage generally falls under the following: first-party claims (the costs associated with a data breach on your own network or system) and third-party claims (the costs associated with lawsuits caused by a breach).
Business disruption costs are another element of cyber-insurance coverage, whether a system goes down from a cyber-attack or an otherwise unplanned outage that isn’t caused by a cyber-attack. “It will cover the resulted net income expenses from that outage,” Hannes says.
All told, the scope of cyber-insurance is quite broad. “I’ve had a lot of very good experience with carriers and what they’re willing to cover,” says Tom Bentz, who leads Holland & Knight’s Directors & Officers and Management Liability Insurance Team.
Insurance disputes are likely to arise, however, when policyholders don’t spend the time to fully understand what they’re buying and what exactly is covered. “For example, there may be some confusion as to whether you have a sublimit of coverage for a type of event, or if you can use a particular law firm in the event of a breach,” Bentz says.
Mind the gaps
Some policies have “duty to defend” provisions, which means the insurer must defend an entire claim. The tradeoff, though, is the insurer gets to select the counsel, typically from a panel of defense firms maintained by the insurer. “We are on panels, and I will tell you most of the panels are very good,” Bentz says, but that may not be preferable to a company that has been with the same firm for several years and would rather have its own counsel.
Thus, in the process of purchasing a cyber-policy, being able to clearly communicate expectations is an important part of obtaining desired policy terms, which is where an insurance broker comes into play. “You need to have a broker that you really trust,” says John Reed Stark, president of John Reed Stark Consulting. “If you can find one that you really trust, that can help you tremendously.”
“One of the first things I advise clients to do is to begin with a review of their current insurance policy,” Stark says. Many times, a cyber-policy might not explicitly mention cyber-risk but still offer coverage along those lines, also referred to as “silent” cyber. “So, sometimes with buying cyber-insurance, you might actually be buying coverage you already have,” he says.
Before purchasing cyber-insurance coverage, Stark recommends management undertake a reverse gap analysis, analyzing the typical cyber-incident response workflow that follows a data breach or cyber-attack. Such things to consider when doing a reverse gap analysis include the costs associated with preserving data; hiring a forensic investigator to conduct a digital forensic analysis; data exfiltration review; customer notification and credit monitoring; remediation; and legal costs associated with lawsuits and investigations.
“You also need to know your industry,” Stark says. Data security incidents can differ dramatically, depending not just on the type of attack, but also on the type of industry of the victim company—such as retail, financial, and healthcare, he says.
By analyzing the costs of a data breach response workflow, a company can better collaborate with the insurer to best allocate risk and determine, before a cyber-attack occurs, which workflow tasks will trigger coverage; which will fall outside the scope of coverage; and which might be uninsurable altogether. “Once you figure that out, the next best thing to do is to go to a seasoned cyber-insurance lawyer,” Stark says.
“You go to a lawyer like me,” Bentz says. “This is what I do. I review the policies in advance of a claim so that we know where those gaps could be, and we try and prevent as many of those gaps as possible from becoming issues.”
Bentz also advises clients on cyber-insurance matters concerning high-risk transactions, like mergers and acquisitions. “As far as coverage in a merger situation, we want to make sure that the company has sufficient limits to cover the additional assets, the information they’re purchasing,” he says. “You also want to make sure you handle the claims-made portion of the coverage appropriately with an extended reporting period (or ‘tail’ coverage), so if you have a breach after the merger, you still have that protection in place.”
As far as who makes the final decision of purchasing cyber-insurance coverage, “it really depends on the company,” Bentz says. Sometimes, the decision rests with legal, while other times it rests with the CEO or chief information officer. There is no right or wrong answer.
While demand for cyber-insurance is on the rise, insurance providers are facing a whole other kind of risk. “Supply and demand have been flipped on their head over the last six months because of ransomware,” Hannes says. “The market used to have far more supply than demand. Now, you have supply being stressed by loss-making results in 2019 and 2020.”
According to a recent analysis by Coveware, a ransomware incident response platform, the average ransom payment in the first quarter of 2020 was $111,605, a 33 percent increase from the fourth quarter of 2019, driven mainly by a few large ransom payments made by large companies. On average, the median ransom payment hovered around $44,021, Coveware found.
The frequency and severity of ransomware attacks is becoming so risky for insurers that it led the New York State Department of Financial Services (NYDFS) on Feb. 4 to become the first U.S. regulator to issue guidance for the cyber-insurance industry. The Cyber Insurance Risk Framework outlines industry best practices for New York-regulated property/casualty insurers that write cyber-insurance, advising them “to establish a formal strategy for measuring cyber-insurance risk that is directed and approved by its board or other governing entity. The strategy should be proportionate with each insurer’s risk based on the insurer’s size, resources, geographic distribution, and other factors,” NYDFS said.
Calling 2020 a “watershed year” for cyber-insurance, Hannes sees insurance providers starting to put in place very strict underwriting controls. “Some carriers are limiting ransomware coverage altogether,” she says, adding that “ransomware makes up a large portion of our claims, both from a frequency and severity perspective.”
Hannes continues: “Expect to also see additional services offered from carriers to help organizations become better at risks over time. This isn’t simply about underwriting our way to profit, this is also about changing the culture of understanding what good security controls are, specifically to thwart ransomware attacks and help our customers achieve that improved security posture over time.”
If companies have all those things in place—a trusted broker, a seasoned cyber-insurance lawyer, and a robust cyber-security framework—you are in the best position possible to be protected when a cyber-attack occurs.