What All Companies Should Know About Cyber Insurance
Recent surveys indicate that cyber security has become a primary concern within the c-suite, in some surveys surpassing concerns of regulatory investigations, employment claims and shareholder litigation, which is why it’s no longer possible to address executive liability without addressing cyber risk. There is also considerable confusion among companies when it comes to the topic of cyber risk and cyber insurance. In order to be better prepared when placing coverage, there are some intricacies all companies should be aware of. We also have a cyber insurance guide (here) which explains the basic workings of the policies for those interested.
Policies Differ. When it comes to directors and officers insurance, most buyers understand that D&O policies are complex and non-standardized, requiring a seasoned broker familiar with executive liability. Many policyholders however are unaware that cyber insurance policies can be equally (if not more) complex. No two policies alike, and generally speaking, the more aggressive the pricing the more restrictive the policy terms. Insurers can restrict or negate coverage a number of ways:
- Narrow Definitions: Restrictive definitions can significantly limit the scope of coverage. For example, some cyber policies limit “data” to personal health information or personally identifiable information such as dates of birth, social security numbers, etc. Broader policies expand the definition of “data” to include corporate confidential information. Similarly, when it comes to utilizing outside vendors, some policies limit coverage only to data in the policyholder’s possession, whereas other insurers will extend coverage to breaches that affect your information while it’s in the care or custody of a 3rd party contractor or vendor.
- Problematic Exclusions: Policies often contain exclusions that can be difficult to interpret. One of the most basic examples, is the “self propagating code” exclusion. Considering that malware, ransomware, viruses, bots and trojans are all commonly spread through self propagation, such an exclusion can severely restrict (or entirely negate) coverage. To provide a more complex example of problematic exclusions, some policies may provide affirmative coverage for PCI fines, understandably leading the policyholder to believe coverage is in tact. Contractual exclusions embedded within the policy however may have the ability to negate that coverage such as in the case of PF Chang’s China Bistro Inc vs Federal Insurance Company.
- Restrictive requirements: Cyber policies also contain specific terms/conditions that require specific controls be implemented when addressing data protection. Encryption is one of the most basic examples. Purchasing a policy that requires all data to be encrypted and failing to actually encrypt that data could render your policy unresponsive. In the context of social engineering fraud, insurers often include a “dual-authentication” requirement - requiring the policyholder to verify the authenticity of the wire transfer twice, prior to transferring funds. Purchasing a policy with such a requirement, and failing to actually perform sufficient verification will also almost surely result in a coverage declination.
Cyber Insurance Doesn’t Cover Everything. Cyber insurance policies can provide thorough coverage for a wide range of risks, and continue to become increasingly comprehensive with time, however, there are certain risks that generally uninsurable such as:
- Theft of Digital IP: Companies today place a tremendous value on their digital IP. And, as evidenced by some large scale breaches such as the attack against TyssenKrupp in 2016, cyber criminals recognize that tremendous value. With cyber espionage growing, it’s understandable that companies and their boards are concerned about protecting their most valuable asset. Theft of digital IP however is not covered by cyber insurance. While it would be more appropriately covered by a crime policy, theft of digital IP is actually entirely uninsurable at the current time. Despite the lack of available insurance, there are steps organizations can take to safeguard those assets and insulate themselves against any resulting lawsuits. We discussed this topic in a prior article for BNA (here).
- Brand & Reputational Damage: Companies that have sustained a publicized breach can attest…data breaches can inflict significant reputational harm, brand damage and lost customer loyalty. Some cyber policies will include an element of reputation restoration coverage in order to mitigate the resulting damage, however that insuring agreement will not reimburse the organization for lost revenues resulting from the loss of its clients or customers. The insurers’ reputational coverage is almost always limited solely to costs related to hiring a PR firm in order to rebuild customer trust, and even then may be heavily sub-limited.
- Certain regulatory actions and investigative costs. Federal and statutory cyber laws (such as GDPR) are being passed with greater frequency while simultaneously imposing stricter requirements. It’s important to note however, that it can be difficult to purchase comprehensive coverage for regulatory actions. While most policies do provide some level of protection for regulatory defense costs and resulting fines, the coverage is limited to regulatory proceedings following a “privacy or security wrongful act”, and even then coverage can differ greatly. But when there is no actual qualifying wrongful act, as in the case of simple compliance failures (absent a breach) prompting pre-emptive regulatory investigations or fines, the policy’s regulatory insuring clause cannot be triggered, resulting in absent coverage.
The Solution May Not Actually Be Cyber Insurance. Cyber insurance has become an integral part of any well rounded insurance program today, however it is only one piece of a larger (carefully coordinated) puzzle. When addressing specific concerns, companies should be aware that the solution may not actually be cyber insurance.
- Directors and Officers Insurance (D&O): Cyber incidents can inflict considerable financial damage to an organization, however in some cases that may only be the tip of the iceberg. When that financial damage is great enough, or results in a stock drop, shareholder/investor suits may be close behind. In order to protect themselves against follow on securities claims or derivative actions, companies should implement a well structured D&O insurance policy, while carefully addressing any policy exclusions.
- Crime & Social Engineering: According to the FBI, from the beginning of 2017 until May of 2018, companies have lost 12 billion to business email compromise schemes. Given those statistics, it’s understandable that falling victim to social engineering attacks (CEO fraud) is a primary concern for directors. While this method of fraud does have an obvious cyber nexus, insureds interested in securing insurance against these schemes are best off pursuing coverage through a well-tailored crime/computer fraud policy. While some cyber policies will include coverage for social engineering attacks, the terms are generally not as broad as those that can be obtained through a crime policy.
- Tech E&O: In the context of data protection, cyber liability insurance is intended for companies that are storing, processing or transmitting data. A failure to do so securely and responsibly could result in that data being compromised, triggering lawsuits, investigations or notification requirements. But what about technology companies whose professional service is the actual storage or treatment of that data? Being that any unintended disclosure of data would stem from their own technology service failure, such companies truly require technology errors & omissions (E&O) insurance. Most insurers have also endorsed their Tech E&O policy forms to include certain cyber insuring agreements in order to provide coverage for exposures such as lost income resulting from cyber incidents.
Your Insurance Program Should Match Your Risk Profile: Cyber risk is a broad term. Specific cyber exposures can depend heavily on your industry and specific operations. What type of data are you storing or processing? How reliant are you on your vendors/suppliers? Could a cyber intrusion result in any potential property damage or bodily injury? Here are just a few examples of how cyber needs can differ based on industry and operations. Verizon has also published their 2018 breach report here which breaks down breaches by industry.
- The healthcare sector is subject to many of the standard cyber risks such as ransomware attacks and social engineering schemes. However they also have a very unique risk profile. In addition to the fact that the majority of their privacy incidents tend to be attributed to rogue employees and employee errors, they are also subject to bodily injury claims resulting from a cyber breach. A single cyber intrusion could result in patient records being accessed or modified. This could lead to treatments (or even blood type) being altered, ultimately resulting in patient injury or even a wrongful death. In the context of bio-tech companies and medical devices, devices with cyber security vulnerabilities can be exploited, resulting in harm to the patient. With almost all general liability policies containing a cyber exclusion, and almost all cyber policies containing a bodily injury exclusion, coverage needs to be carefully coordinated in order to respond to such claims. It’s a topic we discussed in a prior article (here).
- Wholesalers and importers on the other hand, have an entirely different risk profile. Being that most wholesalers do not possess any personally identifiable or personal health information, the risk of triggering notification requirements is small. The greater risk lies with attacks such as social engineering schemes and e-theft schemes where hackers may impersonate a client, requesting goods to be shipped to a fictitious warehouse, resulting in lost/stolen goods. There is also a greater risk of suffering from lost income should a cyber incident cripple a supplier, effectively delaying the shipment of goods. Additionally wholesalers may be more subject to media liability claims arising from the advertising of products on their website.
- Cyber risk can even differ among businesses within the same industry. A law firm focused on traffic violations will have different cyber requirements than a law firm primarily engaged with mergers and acquisitions. Law firms engaged with mergers and acquisitions require strong language when it comes to including “corporate confidential information” within the definition of data. They may also be targeted more aggressively and require higher limits considering that hackers target M&A data in order to manipulate the market and commit insider trading schemes.
Strong Cyber Security Controls Come First. Insurance should be viewed as a backstop, providing protection when all else fails. Just as you lock your house and set your home's central alarm, strong cyber security controls and corporate policies and procedures should be your first line of defense. In the context of cyber risk management though, it can often be your best defense and help reduce your overall cyber insurance premium when placing coverage. Such controls such include, among other things:
- Employee training can help identify phishing attacks and malware and help reduce employee errors that result in the unintended disclosure of protected information.
- Business continuity plans are an often overlooked aspect of cyber security. The faster a company can resume operations following a cyber incident, the more they can mitigate any resulting damage when intrusions attack networks and servers.
- Regular and secure backups can mitigate the damage of ransomware attacks and other breaches by maintaining duplicative data that would otherwise need to be restored (an often costly endeavor).
- Network security controls such as firewalls and regular updates can prevent malware from being installed and identify suspicious attachments.
- Physical security controls can thwart theft of digital IP by employees
- Encryption is always recommended. Aside from the fact that many cyber policies maintain an encryption requirement, encryption is an important step in safeguarding data.
- Contractual risk transfer with 3rd parties is another often overlooked aspect of cyber liability. When utilizing outside vendors, it’s important to review the terms of the contract. This is both to ensure that liability is shifted to the appropriate party and ensure that their usage of your data is not inadvertently violating your own privacy policies and user agreements.
Smaller Businesses Are Particularly Susceptible. While smaller and mid-sized companies may not be targeted as aggressively as a larger financial institution or large law firm, they appear to be more susceptible to data and privacy breaches in general, due to the simple fact that they are less prepared. Estimates average 60% - 90% of all breaches impact smaller businesses. Large companies almost always implement aggressive risk management controls with teams dedicated to monitoring and responding to potential threats. Smaller and mid-sized companies on the other hand often lack even the most basic controls. For this reason, it is often easier for hackers to infiltrate smaller-scale companies. And as larger companies continue to strengthen their cyber security environments, cyber criminals will continue to exploit the lowest hanging fruit.
Specialists Are Required: It may be tempting to obtain a cyber insurance quote online, or convenient to purchase cyber insurance through your existing broker, but for the reasons outlined below, it’s important that you discuss the qualifications of the agent or broker with whom you are working.
- Coverage Coordination: As we’ve demonstrated above, cyber risk can affect every company differently, and cyber policies are complex contracts that can often be difficult to interpret. In order to ensure any coverage placement effectively matches the risk profile of the organization, it’s important to work with a specialist that understands the policy’s terms and conditions. Specialty brokers can often negotiate broader policy terms and may also be able to better vocalize any existing cyber risk management controls to help keep premiums lower.
- Claim reporting: When it comes to reporting cyber incidents, immediate reporting is critical. Claims can easily be denied on the basis of late reporting. Brokers unfamiliar with the nuances of cyber insurance, or claims made policies in general, risk compromising coverage by failing to report incidents in a timely manner. Consider this example. A law firm sustains a ransomware attack which claims to have its data hostage, requiring a $4,000 ransom. Being that the law firm performs regular backups, it simply restores its lost data from its most recent backup. Despite having coverage for “cyber extortion”, after speaking with their broker they decide they would rather not risk a potential non-renewal or rate increase from the insurer so they decide to incur any costs out of pocket and decide not report the claim to the carrier. A year and a half later however, it’s discovered that that data was subsequently sold online, resulting in the law firms’ clients suffering from identity theft. This prompts a forensic investigation, notification requirements and defense costs. Upon realizing the mounting costs, the law firm decides to report the claim to their insurer. The claim however is denied on the basis of late reporting since it was not reported during the correct “policy period” of the prior term.
- Market Navigation: Cyber criminals are intelligent and resourceful, constantly exploiting newly discovered vulnerabilities and improving their methods of intrusion. This creates a risk-environment that is always changing. In response to these emerging methods of fraud/intrusion, insurance companies are always broadening their policies and releasing new products. Continuously renewing your policy without revisiting the policy’s terms and coverages could mean that you’re missing out on otherwise available enhancements.