There has been a lot published the last few years about cyber insurance (CI). Despite all that content, confusion remains as to the value a CI policy brings to a business; this is especially true among small- and mid-sized businesses (SMB's). This article looks to reduce the fog around five key areas of any solid cyber insurance policy and highlight why CI is now a necessity for almost all businesses.
The reality of today's interconnected world is that it's no longer a matter of if your business will suffer a cyber incident but when you'll experience one. Your business is no longer “too small” or “doesn't have any data a hacker would want;” if you have a device connected to the Internet, you're a target. That means you must take steps to prevent AND recover from a cyberattack.
Cyber insurance should be part of any recovery plan. CI is not there in lieu of other recovery best practices; it's another tool in your toolbox. But to get the full protection of a CI policy, you must understand what you are and are not getting for your annual premium. The five key elements below are requirements for any cyber policy you purchase.
This is the place you start with all insurance policies – what will be covered. Given technology’s every-changing nature, you want CI coverages to encompass the most probable cyber risks to your business. How you determine those risks is through a partnership with your IT team (in-house or outsourced). Engage in “if this, then this” threat assessments and match the results against the coverage lines in your policy. But don’t go crazy. No policy will cover every situation you can dream up.
There are a few coverages that are a must for your CI policy (NOTE: these may be worded differently depending on the carrier):
- Network & Information Security (Privacy) Liability
- Breach Response & Remediation Team
- Funds Transfer Fraud
- Cyber Extortion
- Regulatory Defense Costs
- Business Interruption
- 1st- & 3rd-party Coverage (coverage for you & your clients/customers/vendors/partners/etc.)
Now cyber insurance does not replace a cybersecurity program based on best practices. Insurance carriers are tightening their standards around policies, requiring insureds to implement reasonable solutions around cybersecurity policies, procedures, defensive systems & measures, end user training, and response protocols. Failure to deploy these solutions, or worse, saying you have done so on an application and then not doing so, could result in denied claims and/or canceled policies. Insurance carriers will no longer assume your cyber risks if you don’t make best efforts to minimize the overall risk.
This new reality highlights why it’s critical you work closely with your IT resources to develop, implement, and test cyber security and recovery programs. These programs will not guarantee your protection, but they are necessary and will be your primary evidence as to why a claim should not be denied, which is ultimate goal of any insurance policy.
Limits indicate the maximum amount of money an insurance carrier will commit to a particular policy for the policy year (12 months from effective date). To give you an example, you may see a policy state “$1,000,000 per occurrence, $2,000,000 aggregate.” This means the policy will cover up to $1,000,000 for a single claim and a total of $2,000,000 for any number of claims during the policy term.
A carrier may offer different limits for individual coverage elements on a CI policy. Identifying those differences will enable you to prioritize those risks that may result in the greatest financial damage and align those risks with the coverages and limits to ensure you’re within a reasonable margin.
Traditionally, limits are determined by your company’s annual revenue. This formula leaves a potential gap in your CI coverage, especially when it comes to the value of the data you hold. For example, you hold the Social Security Number (SSN) of a client – the value of that data to you is typically the revenue you generate from the client. To the client, though, their SSN is worth 100x more than that number. An insurance carrier with not cover that difference. To them, that’s a contractual agreement between you and your client. There are limits on the limits in a CI policy.
- Retention (Deductible)
The retention (aka deductible) is the amount you agree to pay before the insurance kicks in. A higher retention can bring down your annual premium, to a point. Like limits, carriers may vary the retention based on the coverage element. So, for those situations that may result in an immediate cash dispersal, such as a ransomware payment, you may want to have a lower retention amount versus a situation that may have a higher total cost but spread out over a longer timeframe, such as data recovery.
Retentions are vital components due to the immediate cash outlay required by your business, so structure your retentions at a level you can comfortably cover.
Exclusions are what is not covered by the CI policy. This is almost as important as what’s covered. There are standard exclusion lists and then some exclusions are added through an endorsement (special amendment to the policy). Reading exclusions is monotonous but necessary. You never want to be caught by surprise.
NOTE: There are some exclusions standard to almost all CI policies, but each carrier has their own list with their own descriptions. Don’t assume all are the same.
- Extended Reporting Period
The fallout from a cyber incident can be both instant and long lasting. Where ransomware will encrypt your systems/data in seconds, the damage to your business, your clients/customers, and other entities may not be known for days, weeks, months, or years. So the end of the cyber event could be just the beginning of your troubles.
As long as you maintain your cyber policy, then even claims made a year after a cyber incident would most likely be covered. But what if you retire or close the business? Then any action brought after you cancel or non-renew your CI policy would not be covered unless you purchased extended reporting period (ERP) coverage.
ERP is not insurance. It simply lengthens the period during which you can file a claim beyond the policy’s expiration/cancellation date. It will not provide coverage for incidents that happen outside the policy period. This is not a required element of a CI policy, but it’s something to be considered for your long-term peace of mind.
The business benefits of technology are almost innumerable, but with those benefits come serious risks. A cyber event can damage your company’s bottom line, result in extensive legal and regulatory actions, and irrevocably harm your standing with clients/customers/vendors/partners/the general public. To carry this burden alone makes little sense given the increasing frequency of successful cyberattacks against businesses of all sizes.
Cyber insurance, like all insurances, is there to help unload the risks around cyber onto an insurance carrier. While premiums are rising and standards tightening, a practical cost-benefit analysis usually shows it’s still a smarter move to have the insurance than not. So do further homework on CI, talk to your company’s insurance professional, and then protect your business from the inevitable.
This article has been written by Sean O'Rourke with our friends at Combs & Co.