Many traditional liability insurance policies have exclusions for cybersecurity risks and standalone cyber insurance policies are the norm to cover cyber liabilities. Yet cyber insurance policies are not standardized to the same extent as traditional liability policies, so companies should be aware of key issues when obtaining cyber liability coverage.
Cyber liability is difficult to quantify. Liability risk depends on, among other things, the nature of business operations, the company’s network security policies and infrastructure, and the types of data the company collects and stores. Key information needed to assess cyber liability risk is collected in the insurance application, which becomes part of the terms of coverage and misrepresentations in the application could void the insurance. Thus, the first basic rule in cyber insurance is to pay close attention to the information submitted in the application.
When issued, comprehensive insurance policies cover first party risks (i.e. damages and losses suffered directly by the insured) and certain third party risks (i.e. the potential liability of the insured towards third parties). First-party coverage typically includes coverage for: (1) cyber incident response costs, including post-incident forensic investigation and data recovery and restoration; (2) breach notification to comply with legal and contractual obligations; (3) credit monitoring and identity theft protection services; and (4) reputation management through public relations and communications.
Third-party risk is liability that may arise from contractual obligations for indemnification or settlement of disputes or judgments of claims made by third parties due to the cyber breach. It is important to note that not all policies cover legal costs. Cyber insurance that covers litigation defense will mitigate the costs of defending what could be a large number of private actions arising from a breach.
Many policies exclude coverage for fines, penalties, and/or ransom payments issued by the government in response to a ransomware attack. Granted, government fines and penalties can be costly, but the current rate of a ransomware attack could drive the cost of a data breach from six figures to seven from just a cybercriminal’s hand on a computer. keyboard. Thus, it is imperative to work closely with your cyber insurance broker to understand the scope of coverage and the landmines that exist in the policy exclusions.
Cyber insurance policies are also typically written as “claims” or “incidents” policies. On-demand policies require that applications for coverage under the policy be made while the policy was active and in force. Event policies are triggered by an event during the policy period, regardless of when the claim is made. Since a “data breach or cyber breach” can be difficult to detect and may go undetected for some time, companies should pay close attention to the specific terms of loss coverage and insurer notification requirements. .
What is even more challenging for organizations lately is that the cyber insurance market is in a state of flux. Cyberattacks occur with increasing frequency and the losses for each attack increase sharply. from IBM Cost of Data Breaches Report estimates the average cost of a data breach was $4.35 million in 2022.
As the demand for cyber insurance increases, so do the premiums. The increase in premiums due to the increase in demand is also fueled by the large payouts made by cyber insurance companies in recent years. According to a Marsh report in 2021, cyber premium rates had increased by 174% over the previous 12 months. Many predict that companies could experience an increase in premiums of up to 300% over the next few years.
Finally, the demand for insurance exceeds the capacity of many cyber insurance companies that have leveraged their risk exposure under their policies. The National Association of Insurance Commissioners reports that the number of cyber insurance policies written increased by 21.3% between 2019 and 2020. Reinsurance capacity is scarce and reinsurers are wary of large losses resulting from cyber attacks in many industries. It is hoped that the increased premiums will attract more insurance capacity, but it may take some time for premiums to compensate for the large payouts made by insurers.
These market factors are producing new business models in the industry. New cyber insurance companies are entering the market and providing cyber security services in addition to the insurance product. Cybersecurity services help both the customer and the insurance provider proactively manage the risk of a breach occurring.
When obtaining cyber insurance, whether for a new policy or renewal of an existing policy, a company should be prepared to show that its cyber security program, including its policies and procedures, is strong enough to pass the due diligence of a cyber insurance provider. . In response to high premiums and coverage limitations, companies must work closely with their brokers to assess their risk appetite in light of the sensitive information they collect and store.
It will be a bumpy road in the cyber insurance market over the next few years. Companies that proactively anticipate the impact of industry changes will inevitably fare better.