image

Cyber Insurance: One Size Doesn’t Fit All

There is no one perfect insurance policy for all clients, but retail agents can help their insureds find appropriate coverage forms by focusing on the exposure. This is especially true of cyber liability insurance.

 

At least 160 admitted and non-admitted markets offer some form of cyber insurance — and this number is growing. As a result, coverage wordings, limits and policy features vary widely. For these reasons, it is difficult to compare one cyber policy to another. To obtain the best coverage for a given insured, it is important to understand the range of policies available. 

Reasons for policy differences include variations in insurers’ appetites as well as policyholders’ cyber exposures. For example: 

DATA PROCESSING AND STORAGE 

Organizations process and store varying amounts of personal records. Cyber insurers generally want to know how many records a client handles in a given year. Some insurance markets decline to underwrite risks that hold or process a high volume of personal data. It is not hard to understand why: in a data breach, the more records that become exposed, and the greater the potential expense. In addition, organizations with large record counts are attractive targets for cyber criminals. 

LIMITS REQUIRED BY CONTRACT 

More business contracts are stipulating millions of dollars in minimum limits for cyber risks, higher than some insurers are willing to offer on a primary basis. In the healthcare industry, it’s not uncommon to see even small contractors requesting at least $10 million in data breach coverage. Even though some insurers do offer limits above that, some restrict their primary cyber liability limits to $5 million. If the required limits are not available from a single source, an excess program may be the only way to meet contractual obligations. Assembling excess layers in a cyber program can be more expensive than obtaining the entire amount of coverage from a single insurer. 

CLASS OF BUSINESS 

Most insurers maintain lists of excluded classes. For example, some insurers prefer not to write cyber risks for classes such as municipalities, higher education, real estate, financial institutions, payment processors, title/escrow, heath information exchanges, hospitals or auto dealers. 

UNIQUE EXPOSURES

Clients may have cyber-related exposures that other organizations do not. For example, professional services businesses such as law firms and insurance agencies may benefit greatly from cyber coverage for reputational harm. Similarly, an online retail store that outsources payment card processing, might require coverage for dependent or contingent business interruption or systems failure. 

CYBER COVERAGE CONSIDERATIONS 

Here are some areas where cyber coverage differs significantly from market to market: 

Dynamic Loss Prevention Services. Cyber risk assessment and mitigation services that insurers offer can range widely, from security scorecards to penetration testing, ongoing security monitoring and alerting, information technology consultants on call, benchmarking and legal services. 

Breach response costs. Common features of breach response coverage, which may be subject to sublimits, include costs for forensic investigation. 

Tip On First Steps After A Breach

Inside the limits or outside the limits? Another wrinkle in cyber insurance is whether policies cover breach response costs outside the policy limits or within them. Similar to defense cost coverage in liability policies, rising breach response costs can erode the overall limits. Coverage outside the limits is a significant point of differentiation among cyber insurers. For example, some insurers offer such coverage based on the number of affected individuals, up to a maximum threshold, with no cap on the payout for notification and credit monitoring expenses if the total number of affected individuals falls below the maximum. 

Business/dependent interruption/systems failure. Variable elements here include waiting periods and how deductibles are applied. In addition, policies differ on their definition of a dependent business, if they offer protection for dependent or contingent business interruption/systems failure. In addition, the Period of Restoration is an important factor to consider as it may range from as little as 30 days to as long as 360 days. 

Data restoration coverage. Some policies provide coverage until a final determination that data cannot be restored from backups or physical files, while others will cover actual expenses incurred to recreate the lost data (e.g. staff overtime pay to redo work, such as engineering or accounting). An important point of differentiation here is the trigger, as some policies may pay out for accidental, non-malicious destruction of data. 

Reputational harm. Not all insurers offer this coverage, and those that do generally have Periods of Indemnity ranging from 30 days to 360 days. As with the length of the Period of Restoration, longer periods offer significantly better protection for policyholders and should not be overlooked. 

Cyber crime. Some policies offer coverage for losses arising from social engineering. When this coverage is granted, it may impose conditions on the policyholder, such as call backs to verify requests to transfer funds. Some policies do not require call backs. Traditional crime policies extend coverage on an “each and every” basis, rather than an aggregate number of occurrences. At least one insurer uses this approach to cyber crime, enabling a policyholder to tap the coverage over and over within the policy year. 

Other endorsements. Another way underwriters differentiate their cyber offerings is through a variety of policy endorsements, which can respond to different needs. Endorsements in cyber policies might include: contingent bodily injury/property damage; coverage for “bricking,” in which computer hardware is rendered permanently inoperable (i.e. as useful as a brick); invoice manipulation; and offline media liability coverage, including amendments to the definition of media perils, such as negligent publication of content within the media coverage agreements. 

WHAT RETAILERS SHOULD DO 

Retail agents seeking cyber insurance for their customers should already know that the complexity of this line requires a thoughtful approach. It is important for retailers to talk with insureds regarding their cyber exposures, risk tolerances and business goals. 

Some questions that can guide the conversation include: 

  • How does your business use and store data?
  • What kinds of first-party and third-party data does your business collect and store?
  • Does it deliver products and services electronically?
  • How would your business handle an inability to access its data and systems? What if they were inaccessible for more than 24 hours?
  • Does the business conduct ongoing employee training to mitigate cyber incidents? 

BOTTOM LINE

As in all lines, the best cyber coverage form is the one that fits the insured’s risk. To find coverage that fits, partner with an experienced wholesale specialist who knows how to navigate the complex cyber marketplace. CRC Group producers have access to proprietary Cyber Benchmarking tools to help make insurance purchasing decisions easier.

Contact your CRC Group Producer for more information. 

Contributors:

  • Mark A. Smith is a CRC Senior Vice President and professional liability broker, based in Seattle and a member of the ExecPro Practice Advisory Committee.
  • Tyler O’Connor is a broker in CRC’s Birmingham, AL office and a member of the ExecPro Practice.
  • Clay Segrest is a broker in CRC’s Birmingham, AL office and a member of the ExecPro Practice Advisory Committee.

GUEST CONTRIBUTOR Amanda Harvey Partner Wilson Elser Moskowitz Edelman & Dicker LLP

About Wilson Elser Moskowitz Edelman & Dicker LLP

Wilson Elser helps individuals and organizations transcend challenges and realize goals by offering an optimal balance of legal excellence and bottom-line value.

More than 800 attorneys strong, our firm serves clients of all sizes, across multiple industries and around the world. Wilson Elser has 38 strategically located offices in the United States and another in London. This depth and scale has made us one of the nation’s most influential law firms, ranked in the Am Law 200 and top 56 in the National Law Journal 500.

Since our founding in 1978, Wilson Elser has forged a reputation as a formidable player in insurance coverage and defense. Our experience in this tightly regulated, costconscious industry has shaped a firm culture of accomplished professionalism and cost efficiency that delivers demonstrable value to clients.