Misconceptions of Cyber Insurance

All new insurance products evolve after they’re tested in the real world, and it’s no different for Cyber Liability Insurance. Just a few years ago, an application for Cyber Liability Insurance could reach 20 pages long—a comically long form for anyone other than a highly technical client contact, like the CIO/CTO, to complete. For some clients, that was an easy ask, for others it stopped the buying process right there.

Fast forward to today, the Cyber Liability Insurance marketplace is growing tremendously. New carriers have entered the space, new business applications have become significantly simplified, and the services provided by the insurers have increased where players try to standout in the market. These changes have happened in an environment with high profile examples of cyber claims.

Still, we seem to get the same feedback from our clients:

Client: Do I need this product? I heard it’s overpriced.

Fortunately, these are the easiest to address. Yes, you probably need it, and no it’s not as expensive as it was (but, it’s hard to say what overpriced means to each buyer). You need it because there’s a new focus on security of data in the various regulatory centers, professional communities, and perhaps most importantly in the media.

There are two types of losses involved in a cyber claim.

  • Third-Party losses. These garner the most outside attention. This is where the information belonging to people outside of the organization is jeopardized and results in a loss. It also triggers certain State and Federal mandated activities, like notification and credit monitoring, which you must provide to those impacted even if they don’t suffer a loss. It could also result in a financial loss for a third-party if you were housing their data; client information, confidential designs, etc.

  • First-Party loss. This could be a direct loss to your company (or employee) data, losses to technology, software, and data belonging to the company, ransomware installed on the computer and the resulting expenses. It can also include things like loss of income, and certain types of theft.

Additionally, insurance companies are, more and more, providing the services of experts that would typically be outside the scope of a business to investigate, mitigate, and respond to losses. These services can work better in conjunction with a firm’s technology department or provider, rather than against or in place of them.

Client: I heard at a conference it doesn’t cover anything.

Some people believe that there is no coverage for an act occurring prior to the date the policy is purchased. If that’s the case, then what good is it? In fact, some policies are written that way. However, in many cases where a client has no knowledge of a prior loss, the carriers will extend coverage prior to the date the policy is in force (should an unknown prior condition create a covered future loss).

Others believe that their own infrastructure outsources the risks of lost data. It’s backed up to a secure third-party site, managed by that third party, and that third party is well known and highly reputable. In reality, most contracts with those parties do not truly transfer the risk after a loss away from the insured. We encourage our clients to review their contracts and vendor agreements, we rarely have a response where they find a third party is indemnifying them for the loss. In brief, if a third party has custody of your data, you almost always need to cover the loss. This explanation often helps clarify the need for the insurance, since you can’t completely control the acts of those third parties but may have to live with the results.

Another unexpected hurdle comes from the thought that IS/IT departments have the situation under control. In some cases, that information comes from a direct conflict with the department telling the financial professionals that they don’t need the coverage. This is something we’ve seen less of in recent years, as the departments better coordinate to respond to requests by audit committees, investors, and other stakeholders.

In a way, I think there’s a real benefit out of the coordination required in the purchasing of Cyber Liability Insurance. The financial or legal team in charge of the insurance decisions does not fully understand the exposure or consequential losses. The information security and technology counterparts are aware but are not usually part of the conversations or decisions around the product. The coordination of these individuals has resulted in a good new conversation. Answering questions like, “Could this happen here?,” “How can we stop it?,” “How long would it take?,” and “Do we have that expertise in-house?”.

The need is out there, the market has improved, and the cost has fallen. All said, it is a good environment for the buyers of Cyber Liability Insurance.

Let’s start the conversation today.