Cyber Insurance FAQs by Mark Massey

21/11/2015 22:03

1. Will a Security Risk Assessment lower my insurance premium?

This is the typical question we get, but we would suggest a twist to this question that provides an equally good result: How can I raise my limits or sub-limits, and/or lower my retentions for the same premium? The reframing of the question provides more ways to measure success, and is more thoughtful as it gives the policyholder better coverage for the same (or maybe even less!!) premium.

There are multiple levers to pull in the conversation, and although getting the “best price” is in theory an easy way to measure success, it’s impossible to know what that “best price” actually is in a cyber insurance market that lacks uniformity and maturity. The ultimate goal should be to secure the most useful coverage at a fair price.

FireEye is not a broker or underwriter, but we are focused on providing capabilities that enhance the role of insurance. Our goals are to update and inform the insurance community on how best to address and manage cyber risk, which in turn, informs the cyber insurance underwriting and claims process. The basic premise: the better a policyholder can demonstrate their security posture and resiliency to the insurance market, the better the outcome: fair premiums, higher limits and fewer claims, which means a win for everyone involved.

2. The cost of a cyber policy doesn’t justify investing in a risk assessment. Why should I do this?

The benefits of an assessment are not just a comparison of the cost of the assessment to the premium but rather a combination of multiple factors of the policy:

  • Ratio of assessment fees to premium
  • Ratio of assessment fees to overall capacity:
    • Total limit of first-party liability of policy over prior years
    • Total limit of third-party liability of policy over prior years
  • Ratio of assessment fees to decreases in retention/deductibles over prior years (time and money deductibles)
  • Impact on limits and sub-limits as they relate to:
    • Incident Response Limit
    • Business Interruption Limit
    • Notification Limit
    • Overall Extra Expense Limit

Remember, off-the-shelf coverage is a starting point. The leading practice is to go through an active process to secure the most appropriate coverage for your company at a fair premium. A risk assessment will provide tangible input and insights into the process and help justify both the premium and overall structure of the policy.

Security assessments will benefit more than the insurance process, but this response is focused on the insurance aspect of this type of question.

3. Will an IR retainer agreement align with my existing cyber insurance coverage?

The short answer is it should, but do your homework here and don’t assume that it will. Get a copy of your current coverage and ask the risk manager or broker responsible for insurance to review the retainer language with the policy language to determine if inconsistencies exist. Note: not all cyber losses/events are insured events as defined by the policy; the retainer language is most relevant in terms of aligning to insured events as defined by the policy.

A best practice would be to specifically call out the existence of the retainer with FireEye/Mandiant to the broker and underwriter to pre-clear Mandiant as the IR provider. FireEye is pre-cleared as a preferred provider panels for many of the largest global underwriters (ACE, Beazley, AIG), so if the client is using one of these underwriters you can be confident that Mandiant can be engaged quickly after an event.

4. Who are the best brokers and underwriters in the industry today and why?

Existing broker relationships may be sufficient; however, this is a specialized line of insurance that requires an experienced broker to place. FireEye will always collaborate and work within an existing broker relationship, but can also recommend some of the best professionals in the insurance industry for small, medium, or large accounts.

Some of the best brokers are, not surprisingly, from the larger brokerage firms but some regional brokers also have fantastic expertise.

There are more than 50 underwriters globally that offer cyber insurance coverage; some are new to the marketplace, while others have been offering this coverage for over 20 years. FireEye works with reputable partners in this space and can provide you insights into working with talented underwriters from both a placement and claims perspective.

5. How does a cyber insurance policy complement my current IT security strategy?

Our experience shows us that no security posture is 100% secure. There are unforeseen threats and fraud schemes that even the best-designed internal controls cannot prevent; so insurance should be part of every company’s active security strategy consideration. This consideration should consist of input from all the key stakeholders in the enterprise including risk management, the CFO, IT, legal and the Board.

The trend towards securing cyber insurance is undeniable. That said, enterprises should not use a cookie-cutter approach to secure it. Each company should go through a considered process to secure coverage that addresses its most likely cyber risks at its unique tolerance level.