General insurance is not cyberinsurance
A major problem, according to Tracie Grella, global head of professional liability for New York-based insurance provider AIG Inc., is that enterprises often mistakenly believe that general insurance will cover cyberattacks, which is rarely true.
"When you're seeing in the news about cyberinsurance and litigation, it is talking about general coverage," Grella said. "That is not where cybercoverage exists. If you want data breach coverage, you need to buy a cyberliability policy."
Paul Ferrillo, counsel for the law firm Weil, Gotshal & Manges LLP, based in Redwood City, Calif., said that there is also too much confusion over what cyberinsurance covers.
"There are too many gaps in coverage for comfort," Ferrillo said. "There are a lot of naysayers about what is covered. For example, after the Sony hack there were questions on if acts of cyberwar were covered."
Grella noted that, as companies learn from breaches, cyberinsurance policies are becoming more granular and expanding to cover more areas, adding coverage for policy issues, cloud systems, and property or bodily damage.” However, insurance companies are hesitant to raise limits on coverage.
"We are willing to underwrite the top risks, but companies need to improve security processes," Grella said. "If no one is performing at the top level of security, you can't expect insurance companies to offer maximum limits."
Grella did note that it has become common for insurance companies to recommend security products to clients who are purchasing cyberinsurance.
"The insurance carriers have very close relationships with senior execs and board members," Grella said. "They have no idea what technologies are available, and we're able to bring solutions to them and new technologies that can be helpful."
James Bourie, CEO of New York-based cyberrisk assessment firm Nisos Group LLC, said that it would be acceptable if insurance carriers offer recommendations, but they need to be careful not to stray into reselling products.
"Insurance carriers should integrate cyber-risk programs into their policies," Bourie said. "Instead of being resellers of products, a risk assessment of potential insureds will allow insurers to articulate the level of cyber-risk and assign polices in accordance with their level of exposure or risk."