Cyber Risk Insurance in a Cyber-Resilient Organization
With cyber breaches in the headlines every week, including attacks of massive scale like SolarWinds and the Colonial Pipeline, cyber risk coverage is on the mind of nearly every business leader.
At a recent TEPAN meeting we enjoyed a presentation on cyber risk insurance from Mike Volk, who specializes in that arena with PSA Insurance.
The cyber-resilient organization
The cyber risk landscape is of course constantly changing, and there’s no finish line for cyber readiness … it’s a constant, ongoing process. Further, even the best-prepared organizations might still suffer a breach. For those reasons, Mike introduced the group to the concept of the ‘cyber resilient’ organization.
Cyber risk resilience requires buy-in from the top down, throughout all departments. There are so many facets to a proper cyber-ready profile that choices must be made about priorities, and as noted the process is never complete. Cyber insurance is not intended to replace those protective measures, but can help to bridge the gap as they’re put into place.
One error made by many organizations is devoting their energies solely to defense strategies. Defense is vital, of course, but even the best defenses can be breached. A solid and regularly tested response strategy is every bit as important as proactive defenses. Resilient organizations accept the reality that things will go wrong and are prepared when they do because they test their response capabilities often.
Risk vs. cyber risk
When it comes to risk of any kind, organizations have three choices: Accept the risk (some companies are more risk-tolerant than others); control the risk (take steps to minimize exposures); and transfer the risk, most often through insurance.
Cyber risks, however, present problems with the first two options because of their highly technical nature. Cyber risks are harder to identify and therefore harder to accept, because they’re often not fully understood, so organizations aren’t always fully clear on exactly how much risk they’re accepting. For the same reasons, cyber risk is more difficult to control.
Therefore, many choose to transfer more of the risk via cyber insurance. But that does not excuse a business from the need to understand cyber risk controls. Fortunately, cyber insurance does much more than simply pay claims. Experts from the insurer will work hand in hand with organizations to improve their cyber readiness.
What to expect from a policy
Mike points out that every policy is unique, but on a high level, insureds should look for these five components:
Cyber liability: This is third-party coverage encompassing damages done to others due to data breach, cyber incidents, regulatory proceedings, fines or penalties, or internet/media liability.
The remaining four components cover first-party damages, that is, expenses sustained directly by the insured organization:
Privacy event expenses: These include legal counsel, forensics, and crisis response expenses including public relations efforts.
Business interruption: Coverage for any lost income during a disruption, including reputational harm to the organization.
Data restoration: The cost to restore programs, systems, and in some policies, hardware. Certain policies will even cover hardware or software upgrades for the purpose of preventing future incidents.
Cybercrime: Covers financial damage to an organization resulting from computer fraud, identity theft, social engineering, invoice manipulation and similar crimes. This may cover actions by rogue employees as well, but that coverage typically will not extend to upper management.
Things to look for in a cyber policy
Again noting wide variations in coverage from policy to policy, Mike suggested specific attention be paid to these items:
- Some policies will cover the cost of notifying affected stakeholders only when that action is required by law. That may not always be the case, so look for a policy that covers voluntary notification as well.
- The policy’s definition of ‘computer systems’ should specifically extend to Cloud/SaaS applications and mobile devices.
- Forensics is not incident response, and data restoration is not network restoration. Look for explicit coverage for incident containment, remediation and network restoration, not just data restoration.
- Make sure that coverage for privacy event expenses is triggered by both a privacy event and a network security failure.
- Examine business interruption triggers to see that they include both malicious and non-malicious events. Not all business interruption is due to malware or hacking … human error or changes in network environments can cause interruptions as well.
Things to avoid in a cyber policy
Mike cautioned against policies that include:
- Overly broad exclusions relating to security.
- Specified incident exclusions. Some carriers are now adding language that specifically excludes losses related to larger named events such as the SolarWinds and Microsoft Exchange incidents.
- Overly broad restrictions on ransom payments. For example, some policies forbid any payments that run afoul of United States or United Nations rules about dealing with terrorist organizations. Determining this should not be the responsibility of the business owner.
- War/terrorism exclusions without a carveback. Nearly every policy of any kind includes exclusions related to acts of war or terrorism. Certain cyber policies include a ‘carveback’ that restores war/terrorism coverage for cyber events.