In the insurance business, it’s all about the “policy,” and finding the right policy is akin to modern day horse trading. It’s important to understand the specifics of your coverage in order to ensure there are no gaps that could surprise you later.
The latest insurance product to hit the market is cyber insurance, and the need to fully understand these policies is no different. Insurance carriers underwrite cyber policies that cover liability related to data breaches and major security incidents, which can be costly to identify, contain, resolve and recover. Many insurance buyers may believe that existing insurance policies will work for cyber risks, but there are generally gaps in that coverage.
It is important for CISOs to understand their organization’s existing policy and be an active influencer in the buying process.
The effects of a cyberbreach or security incident can be broad. In addition to data loss and interruption of business operations, these events can cause damage to electronic and/or physical property, bodily injury and the organization’s brand reputation. Therefore, it is imperative that insurers and insurance buyers understand which risks are explicitly covered, which may not be covered and which may be specifically excluded.
We can classify cyber insurance coverage into three groups: stand-alone coverage, extended coverage and drop-down coverage.
These policies are used to create full coverage or enhance the coverage provided by standard property casualty insurance services. To clarify, cyber insurance is not the same as errors and omissions insurance as these two lines of business cover two different types of liabilities.
Other lines of coverage to be considered for inclusion with cyber insurance are Directors and Officers (D&O) Coverage and any type of professional indemnification coverage. Ultimately, top leadership will be called to the mat for decisions they did or did not make, and the company needs to maintain coverage for this circumstance.
Finally, your total cyber insurance coverage should include both the “immediate breach and/or incident costs” and cover costs for the “long-term containment and recovery costs.”
Security breaches and incidents have a lifecycle that will generally span several years. The recovery component of this lifecycle is important because this is where the greatest cost will be incurred. This is specifically true for highly regulated, publicly traded enterprises and health care companies and needs to be taken into account from the outset.
In closing, all policies must include cyber-specific language as this may be an effective way of covering gaps which conventional policies do not cover.