In this installment of our cyber safety series, learn why securing a cyber liability insurance policy can be critical to your overall cybersecurity program.
Cyber liability insurance. What is it, and is it really necessary? Cyber liability insurance is a policy that helps cover costs associated with data breaches and other cybersecurity attacks, such as:
- Lost income caused by a cybersecurity incident,
- Costs to notify customers,
- Costs to pay regulatory fines, and
- Costs to investigate and recover from a breach.
So, is this type of policy necessary? In most cases, yes. If your organization uses technology, securing a cyber liability insurance policy can be critical to your overall cybersecurity program. Below are some key considerations to keep in mind when purchasing cyber liability insurance.
1. Identify Your Risks
One of the first steps to take when purchasing cyber liability insurance is to understand the risks to your organization and your ability to address those risks. This starts with a comprehensive cyber risk assessment, including assessing your technology risks (such as system vulnerabilities, data encryption, and IT policies and processes) and non-technology risks (employee training and bring-your-own device policies).
Your risk assessment should also consider external factors, such as your industry and geographic locations. Certain industries like healthcare and finance tend to be more attractive targets for ransomware and other attacks. This increased risk may lead to additional scrutiny from your insurer and ultimately higher premiums.
Identifying and understanding your organization’s cybersecurity risks, and your ability to manage them, will allow you to better evaluate policy options and coverage amounts, identify possible gaps in coverage, and determine how much risk to assume and how much to transfer to the insurer.
2. Know Which Type of Cyber Liability Coverage You Need
There are generally two types of cyber liability coverage: first-party liability and third-party liability. Let’s take a look at each.
First-Party Liability Coverage
First-party liability insurance covers costs incurred from a breach of your own systems that resulted in losses. These costs may include losses due to extortion from ransomware, theft or destruction of your data, interruption of your ability to conduct business, and costs associated with investigating and recovering from a cyber incident.
Third-Party Liability Coverage
Third-party liability insurance is intended for organizations in possession of third-party data or organizations responsible for developing, installing or managing the systems that secure third party data, such as cloud software providers. This type of policy may include coverage for costs stemming from privacy claims from your customers and employees, regulatory actions, notifying third parties affected by the breach and resulting litigation.
Whether you need first-party liability, third-party liability or both will depend on the services your organization provides. For certain organizations, such as those that install or manage computer networks, develop software systems or provide cloud services, third-party liability coverage is essential. For organizations that do not have custody of, or responsibility for, third-party data, first-party liability coverage is likely sufficient.
3. Be Clear on What Your Policy Covers
Your cyber liability coverage should be aligned with your level of cybersecurity risk, as identified during the initial assessment phase. Your coverage should also be aligned with your organization’s risk appetite. Cyber insurance coverage ranges from the basics — such as costs for covering ransomware, business interruption and breaches at third-party organizations — to less obvious costs, such as those associated with forensic investigations and litigation expenses.
In determining the extent of coverage your organization may need, consider factors such as the types of services you offer, the impact of cyber attacks on other organizations in the same or similar industry, and the types of data to which your organization has access. You should also consider regulatory obligations with which your organization must comply, including possible regulatory fines should you fail to manage a security breach in accordance with regulations. Data breach notification fines can be significant. Recent examples include Uber, which received a $148 million fine for violating state data breach notification laws, and Yahoo, which was assessed a $35 million fine for failing to disclose a data breach.
4. Understand and Plan for Exclusions
Exclusions are the circumstances or conditions under which the insurance provider does not cover a cybersecurity incident. When securing cyber liability insurance, it is paramount that you understand the exclusions in your policy, as insurers will quickly deny coverage based on them.
Some common cyber policy exclusions include:
- Failure to maintain minimum security standards. Be sure to understand any minimum security requirements your policy requires and take steps to meet them.
- Incidents resulting from war, terrorism or insurrection. As this is a broad exclusion that could potentially exclude incidents from state sponsored cyber attacks, you should ask your provider to modify this clause to ensure acts of cyberterrorism are included in your policy.
- Other frequent exclusions. Also be aware of prior acts (acts that took place before the policy went into effect), regulatory fines and breaches stemming from third-party organizations.
Take the time to understand all exclusions in your policy and consider the impact they could have on your policy’s ability to meet your needs. Speak to your insurance broker about any concerns, and if you are unable to remove a particular exclusion, consider purchasing additional coverage to address the risk.
5. Consider the Importance of Retroactive Coverage
Like most insurance policies, your cyber liability policy will likely include a retroactive date. Losses resulting from incidents that occurred prior to the retroactive date will be excluded from coverage. The retroactive date is of particular importance to cyber insurance policies, as it is not unusual for months or sometimes years to pass before a cyber security breach is identified.
To obtain coverage for breaches that may have not yet been discovered, consider purchasing retroactive coverage as part of your policy. The retroactive date is normally the day the insurance policy first goes into effect. For an additional premium you can often negotiate a retroactive date that pre-dates the day the policy first goes into effect.
When determining if you should extend the retroactive date, and how far back you should go, look not only at the additional cost of the insurance premium but also the overall cyber risk to your organization and the likelihood of having an undetected cybersecurity breach.
Putting It All Into Perspective
As part of a broader cybersecurity program, cyber liability insurance is one of the most important tools in your cybersecurity toolbelt.
Before purchasing any amount of cyber liability insurance, evaluate all relevant factors. Understand and cautiously consider your risks as an organization, the type of insurance and how much you need, the time period covered by the policy, and any and all possible exclusions. And when selecting an insurer, try to find one with experience in your industry who can partner with you as a risk adviser.
Contact a member of your service team to discuss this topic further.
Cohen & Company is not rendering legal, accounting or other professional advice. Information contained in this post is considered accurate as of the date of publishing. Any action taken based on information in this blog should be taken only after a detailed review of the specific facts, circumstances and current law.