Buying Cyber-Insurance: 5 Tips by Jeffrey Roman,
As more organizations consider cyber-insurance coverage in light of high-profile data breaches, such as those at JPMorgan Chase,Community Health Systems, Supervalu and Target, it's important that they weigh certain factors to make sure a policy fits their specific needs.
"The prevalence of high-profile breaches over the past year is only accelerating the process of companies investigating cyber-insurance," says Michael Bruemmer, vice president at Experian Data Breach Resolution, who says more of his clients are considering and obtaining cyber-insurance than ever before. "The greater awareness and interest in cyber-insurance started about two years ago, but certainly this has accelerated because of the recent large breaches."
Issues to consider when looking into cyber-insurance include: retroactive coverage for losses that arise from undiscovered breaches that occurred before a policy purchase; having the ability to select the breach response vendors and legal representation an organization wants; and making sure the coverage extends to incidents that stem from employee-owned devices.
"Cyber policies are a relatively new product in the insurance market and are non-standardized," says Gregory Podolak, a partner at the Saxe Doernberger & Vita law firm. "This means the key language is relatively untested by the courts, can vary extensively from product to product, and may not necessarily align with the evolving nature of the risk."
In addition to Podolak, we spoke with the following experts to get their insights: Lon Berk, a partner at the law firm Hunton & Williams; Sean Hoar, member of the privacy and security team at the law firm Davis Wright Tremaine LLP; and David Bradford, president of research and editorial at Advisen, an insurance research company.
These experts offered five key considerations when selecting a cyber-insurance policy:
1. Retroactive Coverage
Having a retroactive date within a cyber-insurance policy means it extends back several years to cover the costs of breaches that may have occurred at a previous date but weren't discovered until after the policy was purchased. Many policies provide coverage "in the year that a claim is made," Berk says.
For instance, if an organization's coverage has a retroactive date of the year 2000, and a breach that happened in 2000 was just discovered in 2014, the organization would have coverage, he says. "If it began before the year 2000, then you wouldn't have coverage. Make sure and pay attention to the retro-date and make sure you have appropriate language in your policy forms."
Insurers generally offer retroactive coverage that extends back in time one, two, five or 10 years, Podolak adds.
2. Selecting Vendors, Legal Counsel
When selecting their cyber-insurance policies, organizations should make sure they have the ability to select for themselves the breach response vendors and legal counsel they deem appropriate, says Hoar, a former lead cyber attorney for the U.S. Department of Justice in Oregon.
"I have had a number of existing clients who didn't realize their cyber-insurance policy limited their choice of legal representation," he says. "They were shocked and disappointed to find they had to engage unknown third-party counsel or pay out of pocket for all legal service related to the data breach or compromise."
When drafting the policy, organizations should ensure they have the right to select the forensics organizations, advisers and public relations firms they want as well, Berk says. "You want to be able to select your vendors, not vet up to the insurer."
Organizations are more frequently allowing their employees to use their personal devices for work-related activities, Berk says. As a result, organizations should make sure breaches involving those employee-owned devices are covered by cyber-insurance.
"You don't want the definition of a computer system [in the policy] to just be a computer system owned by the organization, because [employee-owned] devices might [be the cause of the breach]," he stresses.
4. Not One-Size-Fits-All
It's important to remember that cyber-insurance is not a one-size-fits-all product, says Bradford of Advisen (see: Cyber-Insurance: Not One-Size-Fits-All).
"Appropriate cyber coverage depends on a number of factors," he says. Those factors can include type of industry, size of the company, even specific characteristics like a company's information systems and data management processes. "A utility, for example, is concerned about operational exposures, while a retailer may be most concerned about losing payment card information."
For the most part, insurance companies are good at providing coverage for privacy breaches involving the loss of personally identifiable information; that coverage would include such expenses as credit monitoring, forensics and public relations efforts. "Where [coverage] may not be so good is where your main cyber risk does not arise out of the release of personally identifiable information," Berk says.
Organizations whose main risks come from the disclosure of intellectual property or the compromise of industrial control systems, for example, will have a more difficult time finding coverage. "What you have to do is make sure that the risk you're covering is actually the risk that you face," Berk says. "That's something that often requires a deep analysis of what your exposures are."
5. A Knowledgeable Broker
It's critical that organizations work with a knowledgeable broker who can understand an organization's unique risks and explore and explain appropriate insurance options, Hoar says.
"This [process] should involve a 'virtual walk through' of the possible types of breaches and compromises that might occur, and how the policy would apply to the different scenarios," he says.
The broker also should describe the steps an organization would need to take to involve the insurance carrier should a breach or compromise occur.
Ensuring an organization obtains coverage that's right for them also takes a team effort, Berk notes. "You need to get your IT department involved, your broker, lawyers," he says. "Everyone should be involved to analyze the risk if you want to get something to cover you right."
For more insight into cyber-insurance, check out the following coverage from Information Security Media Group: