Cyber insurance: Buy, but be aware

A recent high-profile court case illustrates that the failure to read the fine print in a cyber insurance policy could cost an organization big money

1 2 Page 2
Page 2 of 2

In fact, experts agree that the failure to read, understand and negotiate every detail of a policy is probably the most crucial (and potentially expensive) mistake that organizations make when buying cyber insurance.

“You really need to read and understand what you’re buying,” said Bennett. “It’s not just about price and retention. Buying something off the shelf is a very dangerous place to go.”

To avoid that, she and others say it is well worth the expense of hiring a specialist broker who regularly negotiates such policies and understands the language.

Christine Marciano, president of Cyber Data Risk Managers, said she thinks the broker that sold Cottage its policy was “obviously inexperienced.”

“As a broker who focuses exclusively on cyber insurance, it’s mind boggling to me that both Cottage and their insurance broker bypassed that policy exclusion,” she said.

christine marciano

Christine Marciano, president, Cyber Data Risk Managers

“I can't say it enough – not all policies are the same, and there are many that cover these incidents. Companies clearly must do their due diligence.”

That is also the message from Selena Linde, a partner at Perkins Coie LLP. “The exclusion in the Columbia policy for failure to follow minimum required practices is not standard for the industry,” she said.

Part of the problem, according to Jared Kaplan, executive vice president and CFO of insureon, is that cyber insurance is relatively new in the industry, unlike auto or home.

Modern vehicles, he notes, have multiple safety systems built in and, “because cars have been around for a while, insurance underwriters have very reliable data for estimating any individual driver’s potential to have an accident and at what cost.

jared kaplan

Jared Kaplan, executive vice president and CFO, insureon

“Data breaches, on the other hand, are new territory,” he said. “If you watch the news, you know they’re happening every day. Nobody’s quite sure how to quantify the costs.”

Linde agreed, noting that, “although cyber insurance has been around for more than a decade, it is still in its infancy and there are no standard ISO forms.

“Cyber policies are still the Wild West,” she said, “so understanding the policy language you are purchasing and how it will respond under potential scenarios for your company is crucial.”

Beyond that, Kaplan said a large percentage of organizations aren’t practicing basic security. He said one study found that 92% of breaches could have been prevented with basic measures like encryption, secure data backup, and data access control.

“This would be like 92% of drivers not honoring traffic signals,” he said.

Bennett said cyber insurers are, “struggling mightily to find out how to underwrite these policies, to set prices appropriately and specify the limits that they can stand behind.

Another minefield can be exclusions for failure to be in compliance with regulatory frameworks.

As many experts have noted, the ever-evolving cyber ecosystem and changes or updates to frameworks can mean an organization is in compliance one day but not the next, to the point that "compliance fatigue" has become a common term in the security industry.

selena linde

Selena Linde, partner, Perkins Coie LLP

“Security standards can change at any time,” Linde said. “Policyholders cannot be expected to predict the future and should not purchase policies with language that, in essence, requires this.”

She said many Fortune 500 companies, upon learning of the new Payment Card Industry (PCI) standards that became mandatory at the beginning of 2015, “implemented procedure to satisfy compliance that will take 12 to 18 months to complete.

“If these companies had requirements in their insurance policies that they always be in compliance, the new PCI standards would have obliterated their current coverage,” she said.

But experts are unanimous that all those potential problems should not stop organizations from buying cyber insurance. It just needs to be carefully – very carefully – with the help of an experienced specialist to read and negotiate through the fine print.

“For small businesses, the average cost of a data breach is $8,700, and policies typically cost less than $2,000 per year,” Kaplan said, adding that having the money available for those expenses, “can help preserve a business’s reputation and can make it less likely that the initial breach has a long-term negative impact on the business finances.”

Indeed, one of the mantras in security is that it is no longer a question of if you will be breached, but when.

“Cyber crime is at all-time high,” Marciano said. “A cyber attack can bring any company to a standstill and, if data theft is involved, cause significant costs to respond to the breach, regulators and plaintiff lawsuits, and more.”

“The key is to truly understand your coverage and what types of losses may not be insurable,” Rafferty said, “as well as ensure that the coverage spans most common breach areas.”

In other words, as Linde put it, “You just have to do your homework and know what you are purchasing.”

Copyright © 2015 IDG Communications, Inc.

1 2 Page 2
Page 2 of 2
The 10 most powerful cybersecurity companies