So called “cyber” insurance policies are some of the most complex policies that an agent or broker will be asked to evaluate. Such policies often have multiple insuring agreements, cascading policy definitions and may even have a mix of claims-made, occurrence and ‘incident-discovered’ triggers applicable to different coverage parts. Compounding matters, there are no standard policy forms in the market. For that matter, there are really no true standard structures, definitions or key terms used amongst various insurance offerings in the market. Every carrier’s policy form is pretty much unique.
As an underwriter of ‘cyber-insurance,’ insurance brokers often approach me with questions about policy forms and language. Because brokers must evaluate and explain competing offerings to insurance buyers, such questions are both understandable and routine. Most questions are fairly common and appropriate for a complete understanding of the policy. However over time, it has become obvious to me that there are important differences between different ‘cyber-insurance’ policy forms that, in many cases, brokers failure to recognize.
The following are five important differences in ‘cyber insurance’ products that are often overlooked.
1. Breach response expenses: “Pay on behalf of” or “Indemnity”?
Does the policy promise to pay breach response expenses “on behalf of” an insured or rather to “indemnify” the insured for such expenses? If the insuring agreement promises to indemnify the insured, the insured may need to pay these expenses first and then wait for reimbursement. Obviously, having an insurer promise to pay such costs immediately on behalf of the insured is preferable.
2. Breach response expenses for suspected breach events?
Imagine that an insured has a reasonable basis to suspect that a breach has occurred. Perhaps they have seen unusual activity or been contacted by a law enforcement agency that reports suspicious circumstances. In these cases, it may be reasonable for an entity to retain expert computer forensic services. Such services can be expensive. So, what happens if the computer expert reports that they can find no evidence of a breach of computer security?
Insurance buyers will likely expect such costs to be covered by the policy. As such, insurance brokers should confirm that the section of the policy covering breach response expenses includes coverage for an actual breach event, but also expenses incurred for a reasonably suspected breach event or to determine the existence, cause and scope of a data breach event.
3. Business interruption: period of recovery/extended period of recover
The business interruption coverage available under most ‘cyber insurance’ policy forms has been a hot topic of discussion for the past several months. Understandably, brokers are concerned with the coverage triggers for such coverage as well as understanding how retentions and waiting periods will apply to such coverage.
Often overlooked in the analysis of business interruption coverage is the length of time such coverage is provided for. Brokers should consider both: (1) what is the total amount of time that coverage will be provided for?; and, (2) under what circumstances the coverage will terminate?
The most obvious issue is the maximum period of time the policy will cover a business interruption for. Under traditional property policies, coverage is generally extended for up to 12 months after a loss occurs. ‘Cyber-insurance’ policies, due to the nature of the loss exposure, deal with shorter time frames of loss and recovery. Generally speaking, policies available in the market limit the time period for which coverage to periods of duration of between 30 days to 180 days of coverage. When the goal is to protect the insured entity from a worse-case scenario, brokers should look for longer periods of recovery.
What may be a more important issue, however, is under what circumstances will coverage terminate before the maximum period of time is reached? Under many policies, coverage will terminate upon the restoration of the systems to normal operating condition. This may seem like a logical point to terminate coverage. The issue is, however, there may be a considerable lag between systems being restored and business activity returning to normal levels.
In a simple example, presume that an insured’s e-commerce operations are restored after a seven day interruption. Is it likely that customers will not immediately return after a week of the insured’s e-commerce system being unavailable. For this reason, some policies offer what is known as an extended period of indemnity. Under an extended period of indemnity coverage is provided past the time that systems are restored until business activities return to normal.
In order to obtain the broadest possible coverage, savvy brokers will look for the longest possible maximum period of time that coverage will apply, and for an extended period of indemnity. In my experience, however, these issues are often overlooked by many brokers.
4. Breach response: panel vendors
In some cases, carriers may require than an insured use approved services providers[1] from an established panel of services providers maintained by the insurer. Freedom to select any reasonable vendor will often be the preference of any insured, but on the other hand, a pre-approved panel of vendors often enable significant cost savings (which benefits insured and insurer alike) as well as the ability to avoid obtaining approval of a vendor from the insurer (approval often being a requirement of coverage).
The key point here is that brokers should be careful to make insureds aware of such a restriction. Surprises can be painful, and no less so when they occur in the middle of managing a difficult breach response. At the same time, brokers should review the depth of the panel, and how well the vendors align with the insureds needs and expectations. Many CIOs, CSOs and CISOs will attest that selecting the right vendor may involve other issues than expertise, capacity and costs.
5. The service behind the policy
This may be the most overlooked coverage issue of all. That’s almost understandable because it exists largely outside the lines of the policy. Yet the services and assistance available under a cyber-insurance policy are just as important as the financial protection.
The fact is that most insureds have limited experience with data breach issues and even a relatively simple breach event, or suspected breach event, can bring complex issues and difficult questions. More succinctly, insureds don’t want to be distracted by sorting out breach response issues. Rather they want to take the right actions and get back to business as usual. The right services can make a world of difference in enabling insureds to accomplish that goal.
Just looking at a (relatively) simple incidence of ransomware:
* Should we pay the ransom?
* Can we legally pay the ransom?
* If we pay the ransom, is the bad actor likely to provide us with the encryption key? (hint: not all of the bad actors will provide a key, and some that provide keys sends keys that won’t work).
* How do we obtain Bitcoin?
When employees start reporting being the victims of fraudulent tax-flings, or a payment processor demands an entity obtain a computer forensic audit from a PCI Forensic Investigator, the issues only get more difficult and complex.
A “save your receipts” approach from a claims department that is prepared to pay claims quickly and fully still leaves a lot to be desired. As such, brokers should ask considered and detailed questions to determine the nature and extent of services available to the insured.
- Does the insurer provide access to a breach coach? An outside team of experts?
- Are there limits on the time or frequency
- Is help available 24/7?
- How does the insured report an actual or suspected event?
- Does the insurer have access to legal, computer forensics and other experts than can and will be available on demand?
Insurance, after all, is a service business. Brokers should be prepared to review the complete package of services available when reviewing options with an insurance buyer.
That’s my list of the 5 things that I see brokers overlooking in cyber-insurance policies. It is not quite fair to say that these are the 5 most important things to look for in a cyber insurance policy. Perhaps, that’s a topic for another day. In the meantime, please feel free to share or send me your comments or questions. I’d like to hear if there are other coverage issues that you feel are overlooked.
[1] Full disclosure: Some of the products underwritten by my employer require an insured to use vendors from an approved panel of service providers.
Lloyd’s report about cyber risks
