Comparing Cyber Insurance Policies

Published June 8, 2018

Cyber coverage is a growing area of business for the insurance industry. Originally the market for this coverage was limited to a handful of Lloyd’s syndicates and specialty insurers, but now the number of insurers willing to provide this protection exceeds 40 carriers.

Because most cyber insurance policies do not use a standardized Insurance Services Office, Inc. (ISO) contract, each insurer’s policy is different. Additionally, coverage is often written in the specialty/excess & surplus lines marketplace that permits insurers to manuscript endorsements. This makes policy comparisons complex. The advantage is that cyber insurance policies do provide certain common coverage elements.

Most policies comprise the following distinct sections:

o First party risk – that is, your breach notification and monitoring costs, incident response coverage, forensic investigation and public relations costs;
o Legal liability for lawsuits brought against you by a client or third parties arising from Network Security, Privacy and Management liability;
o Funds transfer fraud, social engineering and the theft of your money;
o Extortion, identity theft, telephone hacking or phishing attacks made against you;
o Damage to your digital assets or Business Interruption costs;
o Regulatory fines, penalties and investigation costs you must pay;
o Personal Injury (defamation) and Theft of Intellectual Property claims against you; and,
o Reimbursement of your trial or hearing attendance expense.

Some of built onto the coverage; other sections are optional. Let’s break down the parts:

First Party

The initial coverage section of the policy deals with what is commonly known as “first party coverage.” This provides reimbursement for your direct costs of responding to a cyber incident. This might include legal advice and consulting services, the costs to notify customers and your expenses to respond to a regulatory investigation. Additionally, the policy covers IT consulting and forensic investigations costs to remediate the impact of the cyber event and remove any malware. Costs of responding to a cyber incident can be a much as $10 to $15 per customer.

Liability to third parties

Perhaps the most important coverage section of the policy in terms of the dollar amount of protection is usually the legal liability section. This provides protection against lawsuits alleging that you caused a denial of service attack, transmitted a virus, permitted unauthorized access, or caused the theft of a customer’s identity or intellectual property.

In addition, the section may also include coverage for privacy liability arising from disclosure of a client’s personally identifiable information, your failure to warn affected individuals of a breach, breach of the right to confidentiality, your privacy policy or unauthorized access to data.

Certain policies may also provide coverage for management (Directors’ and Officers’) liability claims arising from cyber events.

Legal liability claims can be complex to defend and cost millions of dollars to settle. This section of the policy provides for the cost of hiring a lawyer to defend you and ultimately, pay the claim.

Coverage can be extended to include fines and penalties arising from a regulatory investigation, or PCI fines, penalties or assessments arising from a payment or credit card breach.

Criminal Acts

This section of the policy reimburses you for loss arising from Funds (Wire) Transfer fraud from your bank account (including social engineering), theft of customer fund held in escrow, ransom ware and cyber extortion, theft and misuse of your electronic identity, hacking of your telephone system, phishing and electronic impersonation of your business (including any loss of profits from such impersonation).

Asset and Income Protection

This section provides for the cost to repair and restore your data and applications, including hiring consultants and employee overtime. Coverage is also provided for additional costs and loss of profits from a system outage sustained during the period immediately following the cyber event. Finally, the policy will reimburse you for loss of profits arising from damage to your reputation and loss adjustment costs.

Media Content Liability

Essentially the section of the policy provide coverage for legal liability arising from lawsuits for defamation arising out of media content in any published documents, including social media, websites or blogs. In addition, coverage is also provided for accidental infringement of any intellectual property rights, including misappropriation of ideas or failure to attribute.

Court Attendance Costs

Lastly, this section of the policy provides reimbursement for your expenses to attend court or any legal proceedings in connection with any claim made under the policy.

Formal Comparison

As mentioned earlier, no two insurer’s policies are the same. It is therefore difficult to make a formal comparison; however, there are various tools that may assist you. The most useful is a checklist that will allow you to undertake a side-by-side review. An example is available here. This is not an absolute evaluation of the quality of coverage and does not take into account the various nuances of the policies offered, but it is a starting point.

Beyond the basic sections of coverage that you want (or should have), the following clauses in any policy should be reviewed:

1. Limit of coverage – what is your worst-case scenario? In other words, if everything went wrong, how much coverage do you really need to keep your business going?

2. Deductible – how much can you afford in out of pocket costs and expenses? Remember, you are going to incur some uninsured costs (like your own time) and insurers do not pay for everything, so you have to select a deductible that makes sense. Of course, a greater deductible can reduce the premium but you have to ensure that you can pay for this from reserves or cash flow.

3. Definitions – check that the policy defines the coverage in the broadest possible terms – this section of the policy is the “small print” and the insurer may limit coverage by narrowly defining what activities are covered or who is covered.

4. Exclusions – review this section carefully. Many exclusions are fair and to be expected, but some of these clauses may remove coverage that you thought you had. Of specific concern may be exclusions that relate to your business. e.g. if you are a law firm or CPA, a professional services exclusion is unwise. If you in the real estate business an exclusion of theft of funds held in escrow may not be appropriate. Read each exclusion and consider this as it relates to your business.

5. Conditions – these clauses dictate what you must do to ensure coverage in the event of a claim, or provide instructions for the cancellation of coverage, state your rights to an extended reporting period (aka tail), fraudulent claims, changes in your business, where coverage applies and what you can do in the event of a dispute with the insurer. The most important aspects are:

a. What is the notice period if the insurer should want to cancel coverage?
b. Will the policy cover you for activates anywhere in the world?
c. What is the longest extended reporting period (aka tail) the insurer can offer?

Many clauses are common to all cyber insurance policies and follow a similar format; however, if you can identify those clauses that are unique to a particular policy then these are likely to be the most problematic.

No comparison is exhaustive and is subject to whatever individual clause the insurer agrees to modify in a policy. However, using the foregoing tips and the cyber checklist may be a helpful guide to start the process. But if you want a really in depth analysis, talk to your insurance agent or risk management consultant and ask that what additional resources or services can be provided to you.

Rickard Jorgensen, FCII, ARM, ACIArb is the founder and President of Jorgensen & Company, a risk management consultant and professional risk specialist. Since 1999, Jorgensen & Company has developed and managed specialty insurance programs for CPAs, lawyers and Investment Professionals.  Contact Rickard at: rjorgensen@jorgensenandcompany.com or (201) 345)-2440.