The grim warnings from cyber security and risk management experts are clear: The potential financial losses from cyber attacks should be taken as seriously as the carnage wreaked by fires, floods, hurricanes and earthquakes.
As more businesses explore buying cyber insurance to cushion the impact of cyber crimes, there are dozens of key factors to weigh before taking the plunge. Here are six tips for businesses seeking cyber coverage from Edward Iwata in the third installment of ThirdCertainty.com's cyber liability insurance series:
1. Understand your company’s risk of exposure.
Before buying coverage, companies must have a clear understanding of their risks, which can vary widely depending on the industry, type of business, existing network security and other factors.
Companies and insurers should discuss “the fundamentals of good security” and how security practices influence coverage and premiums, according to PwC’s 2014 report “Managing Cyber Risks with Insurance.” The National Institute of Standards and Technology (NIST) issued comprehensive cyber security guidelines in 2014.
2. Involve your entire management team in anything related to cyber security.
Surprisingly, many executives still see cyber attacks only as a technology or security issue, when it is a critical business issue that dramatically affects a company’s operations, its customers, its brand and reputation.
Always involve legal counsel and top executives in all areas when purchasing and renewing cyber policies, said Jerold Oshinsky of the Kasowitz Benson Torres & Friedman law firm.
3. Check whether your traditional business insurance policies cover any cyber-related incidents.
It’s early in the legal game and still under debate whether traditional business policies cover the many aspects of cyber attacks. In some cases, existing business policies still may apply.
Directors-and-officers (D&O) coverage, for example, may cover some cyber claims “if executives have not done what may be reasonably necessary to protect against a data breach event, including purchasing adequate insurance,” said Oshinsky, who represents Cottage Healthcare Systems in a major cyber insurance case against CNA’s Columbia Casualty.
4. Carefully evaluate stand-alone cyber policies.
More businesses are exploring custom, stand-alone cyber policies designed for their industries and level of risk. Insurance may cover breaches of privacy, lost and damaged data, interruption of business, legal and investigative costs, credit monitoring of customers, crisis management and many other potential costs.
In general, policies require that policyholders follow “best practices” or “minimum required practices” in their cyber security, including strong security software and firewalls, emergency response to cyber attacks, training for employees, and other practices.
There is no such thing as a typical policy for small to large businesses. Companies may pay anywhere from $1,000 to more than $100,000 for the same $10 million in coverage, depending on the industry and risk profile, says Jason Straight, senior vice president and chief privacy officer at UnitedLex.
5. Watch for policy exclusions.
Defining exclusions in coverage also is especially tricky. Insurers, for instance, may balk at covering policyholders who do not practice vigilant security. And policyholders may not read the fine print of policies, or agree to exclusions that are too broad and vague.
Insurers are looking more closely at high-risk coverages such as legal and regulatory costs—especially as government scrutiny increases in the financial, retail and healthcare sectors. Underwriters may trim such coverage if businesses do not have solid cyber security measures and “essential practices” in place, according to Parisi.
6. Seek advice from a good attorney, insurance broker or other third-party vendor.
Shopping for a cyber policy is not as easy as buying auto or homeowners coverage. Given the complexity of cyber policies, businesses should consult with an experienced, trustworthy expert before plunging in.
Straight at UnitedLex said it’s critical for businesses to find a knowledgeable lawyer who understands the company’s industry and the intricacies of cyber coverage. Also look for a sharp broker who knows risk assessment, cyber policies and the best insurance carriers. Ask many questions and ask for references.
“There are so many nuances in the insurance space, and not all coverage is created equal,” Straight said. “So getting good counsel and the right insurance broker is really important.”