Cyber Insurance is NOT a Blanket Solution for Cybersecurity!
November 10, 2016
Here's Law360's view on the matter...
"As a first step in the process when considering cyber-related coverage, a company should analyze its own potential exposure and shore up any information security gaps before engaging in the underwriting process. Roadblocks to coverage often include inadequate network security, inadequate information security policies and procedures, poor records management and inadequate employee training. If possible, fix any gaps prior to undergoing an insurer’s underwriting review to prevent a rejection of coverage or higher premium.”
Purchasing cyberinsurance also requires careful consideration and negotiation of the policy language to ensure that your company is purchasing best-in-class coverage. As with other insurance policies, cyberinsurance policies contain a host of exclusions and limitations to coverage which is something you, as a buyer, want to be aware of. Many of these exclusions are similar to exclusions and conditions commonly found in Directors & Offices Liability insurance (D&O) and Errors and Omissions Insurance (E&O) policies, and in our experience, policyholders can obtain enhancements eliminating or limiting the scope of certain exclusions for little or no additional cost.
Specific policy terms and conditions to consider in evaluating a cyberinsurance policy include the following:
1. Pay careful attention to retroactive dates: Cyber policies often restrict coverages to certain range of dates. Because breaches may go undetected for some period of time, it is important to purchase coverage with the earliest possible retroactive date.
2. Broaden regulatory investigation coverage: State and federal agencies have become increasingly active in regulating privacy issues, and it is important to ensure that a cyber policy covers all potential regulatory investigations following a breach, rather than a narrow enumerated list of agencies.
3. Obtain coverage for unencrypted devices: Ensure both encrypted and unencrypted devices are covered in the policy, even if a device is employee-owned. Some cyber policies attempt to exclude coverage for unencrypted devices, which often affects companies that employees to use their own devices.
4. Ensure coverage for data in the cloud: Companies should make sure that data stored with third parties or in the cloud is covered, even if the third party experiences the data security breach.
5. Avoid terrorism exclusions: Cyber policies often exclude coverage for terrorism, hostilities and claims arising from "acts of foreign enemies." Given that many data security breaches originate abroad and may be perpetrated by groups that could be considered "foreign enemies," companies should be sure to eliminate or limit the scope of these types of exclusions.
6. Pay attention to sub-limits: Sub-limits can greatly reduce coverage. Most cyber insurance policies impose sub-limits on some coverages, such as notification costs and regulatory investigations. These sub-limits are often inadequate.
So, what can you do about it?
There is NO substitute for proper cybersecurity policy enforcement.
Our recommendation is as follows:
1. Get a written cybersecurity policy document in-place, immediately (if you haven't done so already)
2. Complete a comprehensive IT risk assessment for your firm to assess gaps
3. Test your policy against implementation continuously and store the evidence
4. Train your staff and store the evidence
5. Perform 3rd party vendor due-diligence and ... you got it!