Cybersecurity insurance coverage can be extremely valuable, but choosing the right insurance product presents significant challenges. A diverse and growing array of products is in the marketplace, each with its own insurer-drafted terms and conditions that vary dramatically from insurer to insurer-and even between policies underwritten by the same insurer. In addition, the specific needs of different industry sectors, and different organizations within those sectors, are far-reaching and diverse.
Although placing coverage in this dynamic space presents a challenge, it also presents substantial opportunity. The cyber insurance market is extremely competitive, and cyber insurance policies are highly negotiable. This means that the terms of the insurers’ off-the-shelf policy forms often can be significantly enhanced and customized to respond to the insured’s particular circumstances. Frequently, very significant enhancements can be achieved for no increase in premium.
The following are five strategic tips for purchasing cyber insurance.
1. Adopt a team approach.
Successful placement of cybersecurity insurance coverage is a collaborative undertaking. Because of the nature of the product and the risks that it is intended to cover, successful placement requires the involvement and input not only of a capable risk management department and a knowledgeable insurance broker but also of in-house legal counsel and IT professionals, resources, and compliance personnel-and experienced insurance coverage counsel.
2. Understand risk profile and tolerance.
A successful insurance placement is facilitated by having a thorough understanding of an organization’s risk profile, including the following:
- The scope and type of data maintained by the company and the location and manner in which, and by whom, such data are used, transmitted, handled, and stored
- The organization’s network infrastructure
- The organization’s cybersecurity, privacy, and data protection practices
- The organization’s state of compliance with regulatory and industry standards
- The use of unencrypted mobile and other portable devices.
Many other factors may warrant consideration. When an organization has a grasp on its risk profile, potential exposure, and risk tolerance, it is well positioned to consider the type and amount of insurance coverage that it needs to adequately respond to identified risks and exposure.
3. Ask the right questions.
It is important to carefully evaluate the coverage under consideration, from cyberterrorism to excluding the acts of “rogue employees” and excluding the use of unencrypted devices. In all cases, the organization should request a retroactive date of at least 1 year prior to the policy inception, given that advanced attacks go undetected for a median of 229 days.
4. Beware the fine print.
Like any other insurance policy, cybersecurity insurance policies contain exclusions that may significantly curtail and undermine the purpose of the coverage. Some insurers, for example, may insert exclusions based on purported shortcomings in the insured’s security measures.
One case recently filed in the California federal court on May 7, 2015, highlights the problems with these types of exclusions. The case is Columbia Casualty Company v. Cottage Health System, in which Columbia Casualty, CNA’s non-admitted insurer, seeks to avoid coverage under a cybersecurity insurance policy for the defense and settlement of a data breach class action lawsuit and related regulatory investigation. CNA relies principally upon an exclusion, entitled “Failure to Follow Minimum Required Practices,” which purports to void coverage if the insured fails to “continuously implement” certain aspects of computer security. These types of broadly worded, open-ended exclusions can be acutely problematic and impracticable. If enforced literally, they may vaporize the coverage that the policy is intended to provide. The good news is that, although certain types of exclusions are unrealistic given the nature of the risk an insured is attempting to insure against, cybersecurity insurance policies are highly negotiable. It is possible to cripple inappropriate exclusions by appropriately curtailing them or to entirely eliminate them-and often this does not cost additional premium.
5. Pay attention to the application.
CNA in the Columbia Casualty case also seeks to deny coverage based upon alleged misrepresentations contained in the insured’s insurance application relating to the risk controls. The important takeaway is that cybersecurity insurance applications can, and usually do, contain a myriad of questions concerning an organization’s cybersecurity and data protection practices, seeking detailed information surrounding technical, complex subject matter. These questions are often answered by technical specialists who may not appreciate the nuances and idiosyncrasies of insurance coverage law. For these reasons, it is advisable to have insurance coverage counsel involved in the application process.
Learn more about cybersecurity insurance and what to look for by downloading your copy of Navigating the Digital Age. Get the book here.