You’ve heard the term “cyber risk,” but what is it and why should you care? Cyber risk is the impact on your business and brand arising from actual or threatened unauthorized disclosure of personal information from your computer systems. There are few enterprise risks more potentially harmful than unmanaged “cyber risk,” and those threats continue to evolve.
The financial impacts of data breaches can be substantial. The greatest threat may be that of an unmitigated data breach and the subsequent damage to your company’s reputation. Thankfully, there is a large, growing, and competitive market for insurance products to address, allocate, and mitigate cyber risk. This alert identifies the key components of the cyber risk management process, details key components of cyber risk/data breach insurance, and describes some key issues for consideration as a starting point for further inquiry by companies considering or evaluating such coverage.
Cyber Risk/Data Breach Insurance: Part of the Risk Management Process
Defining cyber risk in the context of your business is the first step. For example, companies with direct interactions with the public, and those reliant on third party payment processors, have significant financial risk of data breaches. Enterprises that promise confidentiality and trust (e.g., banks, law firms, doctors, insurers) face additional and potentially crippling reputational risk from data breaches. Effective risk management requires consideration of the “what ifs” of potential data breach scenarios. Inquiries such as: “How am I vulnerable to a breach?” and “Am I a target for cyber extortion?” may identify operational vulnerabilities, risk mitigation measures, and the need for cyber risk insurance as a cost-effective risk transfer mechanism. And while no one knows your business better than you, objective third party input can be a valuable tool in assessing cyber risk.
Cyber Risk/Data Breach Insurance: Key Features
Having assessed the potential impact of data breaches on your business, it is time to consider cyber risk insurance as a risk transfer mechanism. If there is one notable feature of this relatively new type of coverage, it is the lack of standardization. Compared with Commercial General Liability (CGL) insurance, the pricing and scope of cyber risk coverage is highly variable. Indeed, in one recent comparison of four leading insurers, pricing for the same basic cyber limits varied by more than 150 percent. While pricing and claim service are important issues in cyber insurance, the lack of policy standardization and knowledge gaps (even within the broker community) about the operation of key provisions add substantial uncertainty to the cyber risk insurance purchase decision.
Coverage Triggers, Exclusions, and Other Limitations: When Is a Breach Not Covered?
In buying any insurance, it is critical to understand how the coverage operates and when, how, and why the insurance may not provide protection. Cyber risk liability insurance is almost universally written on a claims-made basis (the claim or suit against you must be first made during the policy period). But it is critical to carefully consider the proposed insuring language, as some insurers impose additional limitations based on the timing of the breach which resulted in the claim. Some limit coverage to claims where both the breach and the claim took place during the policy period (no prior acts coverage); some use a retroactive date (providing coverage as of an identified date in the past); and others provide unlimited prior acts coverage. The inclusion of limited or unlimited prior acts coverage may be negotiable for many insurers and is highly desirable when your business has been in operation for a long period of time without prior coverage.
Understanding what may give rise to coverage is only the first step in assessing a policy. The policy’s insuring agreements describe the circumstances under which a matter may be covered, but exclusions, as the term suggests, may significantly limit coverage. Importantly, cyber risk policy exclusions are highly variable and often negotiable–a key point for you and your advisors to consider.
Other critical policy provisions involve control over defense and settlement. Does the insurer control defense and settlement? Does the policy include a so-called “hammer” clause pursuant to which the insurer limits its liability under circumstances where the insurer and the claimant are willing to settle but the insured refuses? In the “first party” coverages (i.e., covering your own property), who selects the service provider for those covered expenses (e.g., breach notification)? The amount of any self-insured retention or deductible and the insured’s ability to control claims within the retention are additional key considerations. And definitions of key provisions, such as what constitutes “damages” (with some insurers refusing to address regulatory fines), may have a significant impact on the scope of coverage.
Next Steps
While some 60 percent of businesses worldwide are insured for cyber breaches (up from 20 percent two years ago), this is still an emerging market in which the lack of standardization and, indeed, lack of historical underwriting data, have led to highly variable coverage provisions and pricing for cyber risk insurance. Armed with the information in this alert, most businesses should be able to ask the right questions, which will lead to an informed purchase decision for this new and important line of coverage.
Many businesses may not have the time or resources in-house to engage in this process or other aspects of enterprise risk management involving cyber risk. Prince Lobel can provide cost-effective help. If you are interested in learning more about how your business can evaluate its cyber risk and ensure that it is properly covered, please contact Joe Sano, the author of this alert, at 617.456.8145 or jsano@princelobel.com; Mitchell King, chair of Prince Lobel’s Insurance and Reinsurance Practice Group, at 617.456.8010 or mking@princelobel.com; or William S. Rogers, chair of the firm’s Data Privacy and Security Practice Group, at 617.456.8112 or wsrogers@princelobel.com.