An ALM CyberSecure panel explored the perils and possibilities that result from current cyberinsurance policies.
Cybersecurity is a top concern for all organizations, and many are turning to cyberinsurance to lessen the blow of a data breach. Yet as with the complexities of a breach—from the who’s who of actors to the type of data compromised—this emerging facet of the insurance industry is rife with nuances that even the savviest of experts are struggling to grasp.
Addressing these complexities were the panelists at “You Finally Bought the Cyber Insurance Policy, Now What?,” a panel at ALM’s CyberSecure event. The event, as noted by session moderator Judy Selby, BDO Consulting managing director of Technology Advisory Services, was a “deeper dive” into the emerging cyberinsurance industry.
Summing up the key challenge facing cyberinsurance policy purchasers, she explained, “If you’re an advocate in a corporation and you’ve made the decision, you’ve made the push for your company to purchase cyber coverage … your worst case scenario is you’ve done something wrong and the policy won’t respond to the claim.”
And in the current business environment, defined by large-scale breaches to the likes of Target, Ashley Madison and, most recently, Yahoo, the timing is ripe for conversations about covering bases in the event of an attack. Citing figures from insurance brokerage company Willis Towers Watson, Selby noted there’s currently a 25 percent increase for cyberinsurance policies in the market. This, she explained, is driven by a flux of companies buying insurance in the wake of high-profile breaches, and “part of the reason is costs are so high around breaches.”
However, “now that there’s more coverage out there,” she added, more companies are “making missteps” in getting covered—basically, ensuring that the plan purchase adequately addresses the risks facing the company.
One way to handle this is to pay particular attention to the insurance application. Scott Godes, partner at Barnes & Thornburg, where he is also a member of the firm’s Insurance Recovery and Counseling Group, explained that some insurance providers will take a carrier form and “use it as they see fit.” For the policy holder, this will mean “a lot of work,” and it’s up to the advising lawyer to help them get their “arms around what they have.”
Therefore, Godes suggested to get as much information as possible and have legal as well as every other department involved in the insurance selection process go over the application and address each question. In addition, he advised to not be afraid to say, “I don’t know.”
“Carrier lawyers who are paid to be zealous advocates,” he added, “will say, ‘Well, we get to rescind the policy because your answer to this question was not correct. … Like a directors and officers (D&O insurance) policy, where the application is attached to the policy and becomes art of the policy, the application is attached in cyber as well.”
Godes noted that carriers attach these applications because they want to more easily rescind their policy in the event of an incident. “To me it’s bothersome. … Talk with your client and say you’ve got to do everything possible” to prevent it.
Providing the insurers’ perspective was Daniel Twersky, assistant vice president at Willis Tower Watson, a global insurance brokerage company. He explained that it’s essential for carriers to know how clients are managing their different vendors, as each presents an opportunity for risk by having access to a client’s data.
And unlike in days past, for insurers, it may no longer be enough to have an internal risk management program in place. Instead, providers will want to know of key sub-contractors, how they’re managed, and how they manage cybersecurity. Furthermore, he said his company vets vendors in areas such as financial and geopolitical risk before granting coverage.
Echoing the importance of the insurance application cited by Godes, Twersky said it’s also important to follow up an application with an in-person interview. “If it’s a first time purchaser, it’s like an interview. And I’ve seen things go from very good with the written application to horribly bad once you have ten underwriters going through questions about an application.”
A contentious issue with cyberinsurance is what cyber issues the insurance covers and what coverage is contingent upon. As an example, Godes mentioned policies that place a caveat on whether something should have been reasonably discovered.
“Anytime there’s ‘reasonably’ in there, you’re buying yourself a fight. What’s reasonable?” He said. The insurer “should have done their homework in selling you the policy.”
Read more: https://www.legaltechnews.com/home/id=1202768728861/1?slreturn=20160828230451