Managing Cyber Risks: Tips for Purchasing Insurance That Works for Your Business (Part 1)

Omid Safa, James S. Carter, and Jared Zola

With information technology impacting nearly every aspect of commerce in our “wired” economy, few issues present more concern to businesses today than cybersecurity. Cyberattacks continue to proliferate at an alarming rate and the threats facing companies continue to evolve and become more sophisticated with each passing day. The legal and financial costs associated with such events also grow more serious, as legislators, regulators, and customers insist on greater protection and impose more stringent requirements. Meanwhile, insurance companies have sought to limit the coverage available under traditional insurance policies with new exclusions aimed at cyber-related risks. As a result, it has become imperative for organizations to reevaluate their cybersecurity protocols and breach response plans—and their insurance coverage assets to help offset losses and liabilities associated with such events when all other safeguards fail. Increasingly, this means that companies must consider purchasing cyber-specific coverage to insure against these emerging risks and address the potential gaps in their traditional insurance programs.

As many businesses have found, however, deciding to purchase cyberinsurance and obtaining coverage that meets your business risks can be two very different things. In this blog series, we will offer tips for navigating the purchase process and obtaining coverage more closely aligned with your business objectives and risks. We start by highlighting several “big picture” considerations relevant to any organization contemplating a cyberinsurance purchase.

1. Ignore Labels

Purchasing cyber coverage is not like purchasing other types of insurance. Compared to more traditional insurance products, the cyber market is still in its adolescence and does not feature standard industry forms that are universally adopted by insurers. Instead, insurance companies in the cyberinsurance market have developed their own idiosyncratic cyber products, which vary widely in their terms and the coverage being offered. These differences are seldom apparent without a thorough review of the relevant policy language, however, because insurers tend to use similar labels when marketing their policies and describing their coverage offerings. For example, insurers routinely describe their cyber policies as covering “crisis management,” “security and privacy liability,” “cyber extortion,” and “network interruption” exposures (or some variant thereof). But what those labels mean differs from insurer to insurer. Purchasers should never rely on such descriptions as a substitute for analyzing the terms, conditions and exclusions of a cyber policy, nor assume that the use of similar labels suggests an equivalence across different insurance policies. “Cyber” policies that appear to offer the same menu of offerings can be found to vary greatly when analyzing the fine print. The devil is in the details; not general descriptions.

2. Seize the Opportunity

The lack of uniformity presents leverage for any organization considering a cyberinsurance purchase. The competitiveness of the cyber market, along with the desire to increase market share in this rapidly growing area, means that many insurers are more receptive to negotiation and customization than in other contexts (although that fact is seldom advertised).

Moreover, insurers recognize that their “off the shelf” cyber policies often contain features that are irrelevant to certain purchasers given the nature of their particular businesses and exposures. If unaddressed, such features provide no value and ultimately waste premium dollars that could be better spent elsewhere. Meanwhile, the same policy may provide no coverage, or only nominal coverage, for the potential exposures that are directly pertinent to the business. In such instances, the insurance company may be willing to modify the coverage to encompass a business’s most important risks so long as the issue is raised during the underwriting process. The only way to know—is to push for better terms. Do not settle for a generic policy and simply hope for the best. Such policies are merely the starting point for negotiations. You can, and should, demand more.

3. Perform a Risk Assessment

An organization should thoroughly evaluate its exposures and develop a clear picture of the risks that need to be addressed to ensure meaningful protection and value for the business (i.e., the “must have” items) before considering a cyberinsurance purchase. Achieving this global perspective requires a team effort. Senior management, information technology, security and privacy personnel, and the in-house legal department all bring different perspectives to the table and play important roles in this process. Senior management can provide insights into the nature and breadth of the organization’s current activities, as well as the strategic direction of the business and any future opportunities on the horizon that may be accompanied by new risks. Considering future possibilities can be particularly relevant in the cybersecurity context given the rapidly growing number and severity of threats. Information technology, security, and privacy personnel bring their technical expertise and knowledge of the organization’s IT infrastructure to the discussion. They can assist those responsible for negotiating and purchasing insurance in understanding the potential vulnerabilities in the current systems and processes, and with identifying the scenarios most likely to lead to a security breach. The legal department can then assess the potential legal risks and ramifications associated with such scenarios. Having all of these stakeholders involved in the process ensures a more holistic view of the threats facing the business and provides a clearer understanding of the potential “real world” consequences of a breach event. Armed with this knowledge, the organization will be better positioned to pinpoint and prioritize the risks that it needs to mitigate through insurance (or, at minimum, where additional security measures should be explored because of the unavailability of insurance).

4. Consider Options with Your Insurance Team

After performing a risk assessment and isolating the exposures most relevant to the business, an organization should take stock of the insurance it currently maintains, identify all gaps in coverage that need to be addressed, and determine the most appropriate method for filling those gaps through a cyberinsurance purchase (e.g., What additional coverages are necessary? What limits are sufficient to address the threats? Is it more advantageous to purchase standalone cyberinsurance or to integrate cyber coverage into existing insurance programs through endorsements and manuscripting?).

Internal risk managers serve as an important resource in evaluating the options, along with outside brokers and insurance coverage counsel. The risk management department can provide in depth knowledge regarding the existing insurance programs, and help identify current policies that may already provide some coverage for cyber-related events (e.g., computer fraud under an existing crime policy). But internal risk managers often have less information about the latest developments in the cyber market given the ongoing evolution of the policies and the significant customization that takes place. Thus, organizations typically seek the assistance of their trusted broker and outside coverage counsel. Working with policyholders and insurers to facilitate such purchases on a daily basis, brokers can offer valuable insights into the current state of the market and the terms commonly being offered by different insurers. Outside insurance counsel serves an important role in evaluating proposed policies, customizing the language, and ensuring that the final product satisfies the client’s requirements. Leveraging their knowledge of contract law, key interpretive principles, and coverage disputes, outside counsel can help purchasers avoid common pitfalls and customize the policy language with an eye toward enforceability and minimizing the need for future litigation. Coverage counsel also has a unique perspective of analyzing the interplay between different terms and conditions in the policy to help promote seamless coverage without creating unintended pitfalls when changing or adding language to a cyber policy.

5. Get It in Writing

While the purchasing process for cyberinsurance can be unique, it is crucial to remember that issues of enforceability and contract interpretation are not. Ultimately, the interpretation and enforceability of cyberinsurance are no different from any other insurance. The policy language is the key and a policyholder’s ability to recover will ultimately turn on the terms found in the contract. Thus, purchasers should never rely on oral representations or assurances regarding the scope of coverage that are not reflected in the policy language itself. If such assurances are offered during the underwriting process, the policyholder should insist that the insurer change the policy language to clearly reflect that intent.

6. Continually Update

After purchasing a cyber policy, it is important to avoid falling into the trap of renewing cyber coverage year after year without thoroughly considering developments over the past year. The risks that are most relevant to a business can rapidly change as its organization changes and as cyber threats evolve. With cyber-related risks and threats in constant flux, it is important to use the renewal process to ensure that a business’s cyberinsurance is continually aligned with such changes. It may be necessary to alter or add terms, conditions, and endorsements to improve the scope of coverage.