“Can you review this cyber insurance questionnaire?” has been the question of 2016. Some of our clients added this coverage in 2014 or 2015 and are preparing to renew or expand their policy. Others are evaluating this coverage for the first time. Even though we agree that most small and medium businesses should have a policy in place, it’s important to know what you are getting, what you aren’t getting, and the worrisome gaps in the middle.
What is cyber insurance?
Cyber insurance, or Cyber Liability Insurance in most cases, is an insurance product geared toward protection against losses stemming from data theft and data loss, or business interruptions caused by malware or a computer malfunction. Covered under the definition are losses attributable to fines and lost income as a result of a network intrusion or security breach.
As defined by the National Association of Insurance Commissioners (NAIC) cyber liability policies might include one or more of the following types of coverage:
- Liability for security or privacy breaches. This would include loss of confidential information by allowing, or failing to prevent, unauthorized access to computer systems.
- The costs associated with a privacy breach, such as consumer notification, customer support and costs of providing credit monitoring services to affected consumers.
- The costs associated with restoring, updating or replacing business assets stored electronically.
- Business interruption and extra expense related to a security or privacy breach.
- Liability associated with libel, slander, copyright infringement, product disparagement or reputational damage to others when the allegations involve a business website, social media or print media.
- Expenses related to cyber extortion or cyber terrorism.
- Coverage for expenses related to regulatory compliance for billing errors, physician self-referral proceedings and Emergency Medical Treatment and Active Labor Act proceedings.
Sounds great, right?
In principle, Cyber Liability Insurance can be a solid product for assuming some large risks associated with ever-increasing use of technology in our businesses. The risks we face today are arguably more destructive and more likely to effect a business than a natural disaster. As more and more business is conducted online, with cloud services and backup, the physical destruction risks are less impactful than the potential for data destruction or privacy breaches. This insurance can help organizations when they experience one of these events.
What’s the catch?
There are many issues with the current state of Cyber Liability Insurance.
Cyber risk remains difficult for insurance underwriters to quantify because actuarial data is hard to come by.
Insurance companies simply don’t understand the risk and the magnitude of exposure that can be associated with cyber incidents.
Most policies are underwritten with a risk assessment questionnaire that is long and arduous.
Due to the lack of actuarial data, insurance providers resort to a lengthy questionnaire to help qualify the risk of the organization. Most companies answer this questionnaire optimistically, assuming that YES responses will get them a better premium. It likely will, but if you need to file a claim, you should expect the insurance company to demand proof that you are performing all of the policies, processes, controls, and trainings you answered YES to. If you are unable to show compliance with your answers, you can expect that the insurance company will not payout.
Claims may easily be denied
The following reasons are noted by Property Casualty 360 as top reasons that claims for cyber are denied.
- Late or improper notification
- Lack of understanding on coverages
- Exclusions within the contract language
- Not involving the carrier early enough
Cyber Liability is NOT an excuse to skimp on IT Security Policies, Procedures, Protections, and Controls.
Organizations should not rely on insurance to make them whole again after a cyber incident. Even if a claim is funded, a breached or damaged organization will have significant operational and client-facing challenges to work through. TECHmarc Labs provided a solid rundown of some of the associated losses
- Additional expense of credit monitoring and identity protection services provided to customers.
- Loss of current and future revenue from existing customers.
- Government fines associated with violation of industry regulations.
- Legal defense fees associated with litigation.
- Cost of insurance and implementation of electronic countermeasures to detect future attempts.
- Damage to your company’s brand and reputation in the market.
- Prolonged court cases which distract from business focus.
- Theft of company secrets or intellectual property including manufacturing processes, competitive intelligence, company growth plans and strategic initiatives.
- Loss of focus on product development/competitiveness while time is spent cleaning up the mess.
What should I do today?
1) Review your current policy or work with your provider to see available options.
2) Check the fine print for exclusions that are relevant to your business model.
3) Review your questionnaire with your IT Provider and ensure you have the proper controls in place to answer truthfully.
4) Identify an IT Security Framework to guide your organization. Ensure that you have the budget and buy-in to take security seriously.
For more small business security tips, check out our white paper: