Buying cyber insurance: buyer beware

The recent NotPetya ransomware was a “shot heard around the world.” I have seen reviews to support a range of theories that the code was sloppy to the author(s) significantly had their revenues limited by having the email count taken offline. Regardless of your position, there was considerable damage and as these types of attacks become more pervasive, business owners will likely look to the insurance markets to provide some option for offsetting financial losses in response to a crisis event.

In the case of NotPetya, it is not simply a matter of many individual enterprises being hit but rather entire supply chains being hit as well. Reckitt Benckiser Group just announced they will likely have issues hitting their quarterly numbers because they could not invoice for millions of dollars because production lines were impacted. While you may have heard about FedEx being hit, Moller-Maersk (the world’s largest sea logistics operations) will also have their top and bottom lines take a sizeable toll as thousands of shipping containers could not be off loaded due to system failures/compromises of sea ports. Understanding cyber risk is a core element of understanding today’s business risk.

You have a number of instances where those that sell cyber coverage cannot adequately speak to its value proposition because they are not cyber risk experts.  Conversely, those that generally buy insurance are also not cyber risk experts.

With cyber insurance, there appears to be a school of thought where having insurance translates to having protections in place when a cybersecurity event evolves into an actual cybersecurity incident. I have seen online applications that allow for coverage by only answering ten questions. So the first question that should be running through your mind is, “How can ten questions determine an applicant’s cyber risk profile.” The short answer, “It can’t.”

So why do insurance carriers take such an approach? It is a numbers game – no pundit intended. Depending on the source used, the cyber insurance market will hit over $7 billion by 2020 or by 2025. Keeping in mind that in 2015, it was around $1 billion. So you have a mad rush for carriers to sell and an uneven balance of those that are looking to buy.

An insurance policy is essentially a contract. You have an agreement between the buyer and seller that in the event of a range of cyber scenarios, the insurance company pays out. Or does it? If you review annual data breach reports where insurance is involved, there are a couple of instances where the insurer declined to pay a claim because of the scope of the policy or “exclusions” within said policy. Perhaps even more problematic is the uptick in rate of the scenario occurring.

In a recent interview with Thomas H. Bentz, Jr. of the law firm Holland and Knight, LLP, Mr. Bentz provided insight about cyber liability insurance policies and how they can protect policyholders. Cyber policies are complicated and need to be negotiated.  Many companies fail to truly understand this coverage until after they have a claim.  Negotiating coverage enhancements upfront can significantly improve the coverage.

Even if you have a CISO reviewing the policy, there is likely a disconnect to what harm triggers are embedded in the policy and what is excluded. Take the case involving P.F. Chang’s. Would a CISO have figured into the equation a penalty for the re-issuance of credit cards? Probably not. Had the CISO done so, would a CEO or CFO agree that this is a business risk exposure, probably not. 

So we are now left with a unique scenario of relying on insurance carriers to pay out on claims in good faith and the carriers are limiting their downside exposure to a claim by carefully crafted language. You cannot fault the insurance carriers for trying to limit their exposure. However, it raises a question on fairness and would a prudent and reasonable person understand not only what the policy covers, but what it does not cover.

It is highly unlikely that P.F. Chang’s obtained a cyber policy by merely answering ten questions. Financial services and retail are common buyers from well-established carriers that have insured their businesses for decades. But as more policies are issued and a large percentage of those issued using such trivial measures to identify the applicant’s cyber risk profile, is there a potential argument that either (1) the issuer of the policy has contributory negligence in the face of a claim or (2) that the use of such techniques are an unfair and deceptive business practice? I interviewed several stakeholders representing regulatory and legal fields and these topics are not at the front and center of concern right now. However, all parties concur that if similar claims against carriers continue to increase, the likelihood that a regulatory body like the NAIC or FTC is high.