A tool to minimize cyber and reputational risk and protect the balance sheet and bottom line
Cyber Insurance is an insurance policy designed to cover losses a company suffers due to a privacy breach or network security breach. According to AM Best’s 2019 Market Segment Report, cyber insurance direct written premiums in 2018 grew 12.6%. That same year, premium volume surpassed $2 billion for the first time (compared to $1B in 2015). The report attributed the growth of cyber to the following factors:
- Organizations are buying cyber insurance to “minimize cyber and reputational risk and protect their balance sheets and bottom lines.”
- Insurers are adopting cyber exclusions in traditional policies.
- Enactment of stricter legislation (particularly the General Data Protection Regulation in Europe and other similar state regulations in the U.S.)
In this article, we will examine why organizations purchase Cyber Insurance as a tool to “minimize cyber and reputational risk and protect their balance sheets and bottom lines.” We will break down what a stand alone cyber insurance policy commonly covers, as follows:
- Core principles of a cyber policy
- What does a cyber policy cover?
– examples of third-party coverages
– examples of first-party coverages
- Analyzing insuring agreements
- How to trigger coverage
Cyber Insurance = Balance Sheet Protection
Cyber Insurance is an insurance policy designed to cover losses a company suffers due to a privacy breach or network security breach. It is crucial to understand the basics of a cyber policy to establish what the policy intends to cover. The lack of consistency in wordings and terminology makes this particularly challenging.
What does a Cyber insurance policy respond to?
Generally speaking, a cyber policy will respond to:
- a Privacy Breach; and
- a Network Security Breach.
A privacy breach occurs when an outsider gains unauthorized access to confidential information. This can happen in a variety of ways, such as: intentional and unintentional disclosure, lost devices, employee error, or a hacking event where private information was or may have been exposed.
Example of intentional disclosure – an employee shares customer information such as names and addresses to an outside party.
Example of unintentional disclosure – someone sends Personally Identifiable Information (PII) in plain text as an unprotected attachment to an email and the email is intercepted in transit.
Network Security Breach
A network security breach is a breach of the network security system of an organization. It’s not a breach of information, but rather an exploitation of a system’s weakness. When an intruder infiltrates a network system, the company may experience a substantial loss.
Vulnerabilities in software, hardware, or organizational processes create opportunities for intruders to exploit. Network Security Breaches often occur when third parties discover these weaknesses.
What does a Cyber insurance policy cover?
One of the challenges of cyber insurance is that there is inconsistency in coverage and terminology between insurance companies. In order to understand what a policy will cover, you need to examine the policy wordings; its declarations, insuring agreements, definitions, exclusions, and conditions. Here’s an easy way to break it down!
There can be upwards of 10 different insuring agreements in a cyber policy. You can categorize them into two main types: third-party coverage and first-party coverage. A combination of both types of coverage will provide the best protection for your balance sheet. Third-party coverage responds to claims from others who have suffered damage because of your actions. First-party coverage responds to cover your own costs to deal with a cyber breach.
Examples of Third-Party Coverage
Privacy Liability: This clause is meant to cover the insured’s liability to third parties for damage arising from unauthorized access to their private and confidential information.
Network Security Liability: This clause is meant to cover the insured’s liability to third parties for damage arising from computer and network security breaches.
Regulatory coverage: This clause is meant to cover the insured’s liability to regulators for privacy breaches.
Media Liability: This clause is meant to cover the insured’s liability to third parties for damage caused by the creation and dissemination of media content.
Technology Errors & Omissions: This clause is meant to cover the insured’s liability to third parties arising from errors and omissions in providing technology products and services.
Examples of First-Party Coverage
Privacy or Network Breach Event Fund: This may also be called the Crisis Management Fund in your cyber policy. It is designed to cover costs that an organization may incur when dealing with a privacy or network security breach. This coverage helps to mitigate the negative impact that a breach event will have on the business. These costs include hiring a lawyer, I.T. Forensics, credit monitoring, a call center, and notification expense, to name a few.
Business Interruption (“B.I.”): This coverage addresses income loss suffered by the business due to a slowdown caused by a privacy or network breach.
Regulatory Coverage: This covers fines that may be imposed by the regulating authority that has jurisdiction over the company or the persons affected by the breach event. Note, fines and penalties are not always insurable under the law.
Social Engineering Fraud: Coverage for Social Engineering Fraud indemnifies the insured for money that’s been stolen through “social engineering fraud,” i.e., the manipulation or tricking of employees.
Data Recovery or Recreation: This covers costs related to the recovery or recreation of data that has been lost or destroyed.
PCI-DSS Assessment Coverage: This is coverage for fines and penalties imposed by a credit card company for failing to protect payment card information.
Analyzing a Cyber Policy
The insuring agreements in your cyber policy specify what the policy covers, i.e., the types of privacy and network security breach events and the extent of the coverage. In other words, the insuring agreements grant coverage.
You should carefully examine the insuring agreements in your cyber policy to determine how the agreements are worded as triggers. Ask yourself, “What are the terms and conditions under which coverage will be granted?”
For example, Insuring Agreement A in your cyber policy may be Privacy Liability. A Privacy Liability insuring agreement typically responds to claims made by third parties against your company for specific wrongful acts. Look at the definition of “wrongful acts” in the Definitions section of your policy to fully understand what is covered. Under this agreement, the insurer may cover the insured or its independent contractor/s for claims arising from failure to properly handle, manage, destroy, store, or otherwise control personal or confidential information.
Another insuring agreement could cover Network Security Liability. Under this clause, the insurer intends to cover claims against the insured for failing to protect its systems against denial of service attacks or unauthorized access. This insuring agreement aims to cover claims by others who claim they suffered financial damage because of the insured’s wrongful acts (for instance, failure to protect its network correctly). Again, you’ll need to read the definitions to fully understand the breadth of the coverage.
How is coverage triggered?
It’s essential to understand the reporting requirements and the coverage triggers in your insurance policy. After all, there is no coverage under a policy until the policy is triggered by one of the events stated within the policy. Note that trigger events will be different for different types of coverage. In the case of a third-party claim, the event may be an insured receiving a claim against the insured. In the case of first-party coverage, if that is provided by the policy, the event could be when a breach occurs.
Insurance brokers should review the conditions with their clients to ensure that they understand what events are covered and what is needed for coverage to apply.
Want to learn more about Cyber Liability Insurance?
Sign up to view the Cyber 101 course.