Cyber coverage is a growing area of business for the insurance industry. Originally the market for this coverage was limited to a handful of Lloyd’s syndicates and specialty insurers, but now the number of insurers willing to provide this protection exceeds 40 carriers.
Because most cyber insurance policies do not use a standardized Insurance Services Office, Inc. (ISO) contract, each insurer’s policy is different. Additionally, coverage is often written in the specialty/excess & surplus lines marketplace that permits insurers to manuscript endorsements. This makes policy comparisons complex. The advantage is that cyber insurance policies do provide certain common coverage elements.
Most policies comprise the following distinct sections:
Some of built onto the coverage; other sections are optional. Let’s break down the parts:
The initial coverage section of the policy deals with what is commonly known as “first party coverage.” This provides reimbursement for your direct costs of responding to a cyber incident. This might include legal advice and consulting services, the costs to notify customers and your expenses to respond to a regulatory investigation. Additionally, the policy covers IT consulting and forensic investigations costs to remediate the impact of the cyber event and remove any malware. Costs of responding to a cyber incident can be a much as $10 to $15 per customer.
Liability to third parties
Perhaps the most important coverage section of the policy in terms of the dollar amount of protection is usually the legal liability section. This provides protection against lawsuits alleging that you caused a denial of service attack, transmitted a virus, permitted unauthorized access, or caused the theft of a customer’s identity or intellectual property.
Certain policies may also provide coverage for management (Directors’ and Officers’) liability claims arising from cyber events.
Legal liability claims can be complex to defend and cost millions of dollars to settle. This section of the policy provides for the cost of hiring a lawyer to defend you and ultimately, pay the claim.
Coverage can be extended to include fines and penalties arising from a regulatory investigation, or PCI fines, penalties or assessments arising from a payment or credit card breach.
This section of the policy reimburses you for loss arising from Funds (Wire) Transfer fraud from your bank account (including social engineering), theft of customer fund held in escrow, ransom ware and cyber extortion, theft and misuse of your electronic identity, hacking of your telephone system, phishing and electronic impersonation of your business (including any loss of profits from such impersonation).
Asset and Income Protection
This section provides for the cost to repair and restore your data and applications, including hiring consultants and employee overtime. Coverage is also provided for additional costs and loss of profits from a system outage sustained during the period immediately following the cyber event. Finally, the policy will reimburse you for loss of profits arising from damage to your reputation and loss adjustment costs.
Media Content Liability
Essentially the section of the policy provide coverage for legal liability arising from lawsuits for defamation arising out of media content in any published documents, including social media, websites or blogs. In addition, coverage is also provided for accidental infringement of any intellectual property rights, including misappropriation of ideas or failure to attribute.
Court Attendance Costs
Lastly, this section of the policy provides reimbursement for your expenses to attend court or any legal proceedings in connection with any claim made under the policy.
As mentioned earlier, no two insurer’s policies are the same. It is therefore difficult to make a formal comparison; however, there are various tools that may assist you. The most useful is a checklist that will allow you to undertake a side-by-side review. An example is available here. This is not an absolute evaluation of the quality of coverage and does not take into account the various nuances of the policies offered, but it is a starting point.
Beyond the basic sections of coverage that you want (or should have), the following clauses in any policy should be reviewed:
Many clauses are common to all cyber insurance policies and follow a similar format; however, if you can identify those clauses that are unique to a particular policy then these are likely to be the most problematic.
No comparison is exhaustive and is subject to whatever individual clause the insurer agrees to modify in a policy. However, using the foregoing tips and the cyber checklist may be a helpful guide to start the process. But if you want a really in depth analysis talk to your insurance agent or risk management consultant and ask that what additional resources or services can be provided to you.