A first glance, Cyber Liability Insurance seems like a panacea for the harried financial services firm looking to shore up its defenses from nefarious hackers. However, if you don’t have your cybersecurity house in order, you can find yourself doubling down on the losing end: paying for a policy that doesn’t pay you when you need it.
Will a Cyber Liability Policy Secure Me?
In a word, No. A cyber liability policy will help you in the event of breach, but only if you have taken all reasonable steps that a prudent company or person would have taken. The world of Cyber Liability policies is evolving rapidly and does not, at this date, contain the years of actuarial data that insurance companies rely on to determine rates and likelihood of losses. As a result, you will find a cyber liability application policy to be considerably more complex than your standard Commercial General Liability Policy. Before embarking on the journey to secure such a policy, we recommend that you review an application and determine if you can satisfactorily answer all of the questions. While it may seem onerous, going through the exercise may lower your policy rates while securing your business. We have said it before, and will continue to echo: you can transfer risk but you cannot transfer responsibility. The responsibility of securing your business will always remain within the business itself. If you choose not to take “reasonable” and “appropriate” steps (the common law legal standard) to secure it, you may find that an insurance company will quote you an exorbitant rate for a Cyber Policy, or they may choose to deny you coverage all together.
What should I have in place Before Applying for a Cyber Liability Policy?
Besides the obvious general liability policies (which we will discuss later), your firm should at a minimum have in place the following:
- A Governance Structure that has a clear head of Security (whether named as CISO, or otherwise). This structure should have a clear line of communication to executive management;
- A Formal Program in place to test & audit network security controls;
- Policies & Systems to ensure adequate patching and updating of systems and services;
- A Disaster Recovery or Business Continuity plan that takes into consideration systems functionality;
- A Training Regimen for new and existing employees that includes procedures for safe computing;
- A Written Information Security Policy (WISP) that includes items such as onboarding and offboarding controls, password maintenance, and general data security policies and procedures; and
- A Mobile Device Policy.
This is just a sample of the items that an insurance company may request and review in order to quote a Cyber Liability Policy for you. It bears noting that simply HAVING these cybersecurity procedures isn’t enough. They must be utilized by and customized for your company. If you simply present these policies for (or check the boxes on) your policy application, you may find the insurance company unwilling to pay out. In the instance of Cottage Health Systems, a healthcare provider, its insurance company found that the firm failed to follow “minimum required practices.” In essence, the healthcare provider obtained coverage but acted negligently in securing that data (in fact, leaving it on a server that was open to the internet). The insurance company denied coverage in this instance. But it could have taken its position a step further, alleging fraud on the application itself. So, take the time to organize your house BEFORE you go to buy a Cyber Liability policy. If you don’t and have a breach, you will find your insurer unwilling to pay.
What will Cyber Insurance Cover?
A Cyber Insurance policy will cover the costs related to the Information Security Liability which can include damages resulting from failure to protect private information, among other things[i]. Additionally, endorsements can cover the cost of what we would term “breach cleanup.” This can include privacy notification expenses, crisis management and reward expenses, defense expenses, and PR expenses related to recovering from a breach. Further specific coverages can be requested to cover items such as
- Business Interruption – This insurance covers loss of income after a disaster (which can include a “cyber-induced” disaster).
- Extortion (E-threat) – Covers extortion payouts in the face of a creditable threat of destruction or unauthorized distribution of sensitive data.
- Funds Transfer Fraud – Covers the direct loss of money and securities as a result of phishing attacks or loss of usernames and passwords.
- E-vandalism – While many hackers want to siphon information unnoticed over time, others (like a disgruntled employee) want to disrupt the organization’s operations as much as possible. E-vandalism coverage pays the costs associated with putting affected systems back to an operational state.
Again, it is essential to note that none of these policies will likely pay out in the event an insurer determines that a policyholder has acted negligently. Further, what limited additional safeguards these policies provide will only be granted in the event your well-conceived, well-structured, and well-executed plans fail to prevent breach.
What Will Cyber Liability Insurance NOT Cover?
While cyber liability insurance will cover you when reasonable and appropriate steps have been taken to protect your network, it will NOT protect you against breaches that occur outside of the policy period. At first blush this requirement seems cut and dry. But with a cyber-breach, it can become quite a complicated matter. For instance, in 2014the average breach in 2014 took 229 days to detect[ii]. Consider that, if you purchase a policy effective on the First of January, 2015 but your network was breached on December 1st, 2014 which you do not discover until June 1st, 2015 (well within the statistical 229 day average detection time frame), your insurance company will not cover you, as the triggering event will have occurred before the effective date of the policy.
But What About my Commercial General Liability (CGL) Policy?
Let’s just state this clearly and up-front: Your CGL policy will NOT cover you in the event of breach. The policy definition of “property damage” specifically states that “electronic data is NOT tangible property.” Further, in an effort to clear the air, in 2014 the Insurance Services Office, Inc. (the organization that crafts policy documents for insurers) expressly excluded coverage from its policy forms for Cybersecurity incidents[iii]. In fact, a Connecticut Appellate court recently held that a loss of data did not constitute a “personal injury” to the individual’s whose data was lost[iv]. Though additional coverage for “electronic data liability” can be added to a GCL policy, it will only cover items such as the accidental physical destruction of a server by an employee.
Despite its limitations, Cyber Liability Insurance is an important and growing segment of which all business owners should be aware. It can provide a level of protection to a business that may allow it to weather a breach successfully. But remember, a Cyber Liability Policy will be completely useless in the event that your company does not take cybersecurity seriously before a breach. Without adequate controls in place to secure your data, your environment, and your employees, you will find in a breach that you have purchased coverage that offers you no protection, nor provides any coverage to defend yourself from clients or creditors.
By all means, research the option, but make sure you have your digital ducks in a row first.
If you’re not sure where to start or how to implement these suggestions at your firm, please contact me for a complimentary conference call. We are pleased to discuss your firm’s specific circumstances in a confidential, judgement-free environment! I can be reached at Lyman@ArtemisSecure.com or 860.248.4100 x803.
For Further Reading: (Links Will Open in a New Window)
[ii] Mandiant 2014 Threat Report – http://investors.fireeye.com/releasedetail.cfm?ReleaseID=839454
[iv] Recall Total Information Management, Inc., et al. v. Federal Insurance Company et al., May 26th, 2015 – https://www.jud.ct.gov/external/supapp/Cases/AROcr/CR317/317CR54.pdf