Mar 19, 2017 What to Look For When Assessing Cybersecurity Insurance
Earlier this week I discussed the three top mistakes that companies make when assessing cybersecurity insurance. Now it’s time to take a look at what to consider when assessing insurance coverage.
As noted previously, the best way to conduct this review is for the CISO and the business executive responsible for insurance (typically someone in the CFO’s or risk management office) to review and discuss these options jointly. Unless both the risk and infosec teams understand the tradeoffs, you’re not likely to select the optimum policy.
Step One: What Type?
The first thing to consider is whether you want a standalone or package policy. A standalone policy provides coverage according to its own terms and conditions, and is tailored to cover specific risks and costs. Most cybersecurity insurance policies in force in the U.S. are standalone policies.
Package policies, or Commercial Package Policies (CPPs), are general “umbrella” liability policies under which separate coverage parts can be purchased. Package policies have lower premiums because the insurer predetermines the risks covered, and the ready-to-sign forms are less labor intensive (hence CPP policies are often called “standard form” or simply “form” policies.) Some property/casualty insurers will offer a company a “data breach rider” to the company’s existing policy.
Our recommendation: focus on a standalone policy; the CPPs lack the customization that most companies need.
Step Two: What’s Covered?
The next item to consider is what’s covered, and what you need covered. This is the area that’s likely to create the greatest amount of discussion between the infosec and risk management folks—because it affects how and when to make technical investments (to cover the areas that cybersecurity insurance doesn’t).
Common coverage areas include:
• Network security policies cover breach or failure of a company’s network, theft of intellectual property, loss of consumer data, destruction of data and equipment, and sometimes cyber extortion.
• Privacy liability policies cover breaches not involving network security failures, such as the wrongful collection of information, loss or theft of physical records through lost equipment, and wrongful disclosure of data through human error.
• Media liability policies cover advertising injury claims, infringement of intellectual property, copyright/trademark infringement and libel; normally this kind of coverage falls under an umbrella policy, but some insurers now add media liability clauses into standalone policies.
Step Three: First-Party vs Third-Party
Once you’ve discussed what areas your policy should (or shouldn’t) cover, the next question is who it should cover. Policies typically contain one or both of two types of coverage: “First-Party” and “Third-Party.” First-party coverage applies only to the policyholder, and covers their expenses in case of a loss (just like valuables protection in homeowners’ policies). Third-party coverage applies to others, and may cover legal defense costs, and damages and liabilities to third-parties (e.g., customers, business partners, and regulatory agencies) resulting from a security event.
Common first-party costs covered include:
• Forensic investigation of the breach
• Legal advice to determine your notification and regulatory obligations
• Notification costs of communicating the breach
• Offering credit monitoring to customers as a result
• Public relations expenses
• Loss of profits and extra expense during the time that your network is down (business interruption)
Common third-party covered costs include:
• Legal defense
• Settlements, damages and judgments related to the breach
• Liability to banks for re-issuing credit cards
• Cost of responding to regulatory inquiries
• Regulatory fines and penalties (including payment card industry fines)
Step Four: What’s Not Covered?
Cyberinsurance policy exclusions vary widely. Many policies exclude major attacks from ransomware or state-sponsored espionage. Some exclude legal fees. Items typically not covered include:
• Reputational harm
• Loss of future revenue
• Costs to improve internal technology systems
• Lost value of an indivual’s own intellectual property
For areas not covered, you’ll want to discuss who is paying for these in event of a breach.
Step Five: Who Provides It?
Although there are upwards of 500 U.S. cybersecurity insurers, roughly half the market is divided among three firms: American International Group (AIG), Chubb, and XL Group. AIG has about 22 % of the cybersecurity insurance market, followed by Chubb at 12 %, and XL Group (XL Catlin) at 11 %. Other major providers include Berkshire Hathaway, Liberty Mutual, Travelers, Nationwide, and Hartford.
Ideally, you’ll want to look at policies from at least 3-5 of these providers, based on your assessment so far.
The Future: Cybersecurity Insurance Health Checks
Although it’s not common yet, a logical next step in this market is a partnership between security firms and cybersecurity insurance firms to offer cybersecurity “health check” assessments as part of the process for applying for insurance. That is, just as life insurance policies generally require a medical assessment, cybersecurity insurance policies will increasingly require a cybersecurity health check. Look for network security companies such as Cisco Systems, professional services firms such as Dimension Data and E&Y, and general security companies like Symantec to start getting into this space.
The bottom line? When it comes to assessing cybersecurity insurance, doing your homework will pay off.