Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Edge Articles

8/15/2019
09:00 AM
Joan Goodchild
Joan Goodchild
Edge Articles
100%
0%

5 Things to Know About Cyber Insurance

More businesses are recognizing the need for cyber insurance as part of an overall security strategy. Here are some key points to consider when evaluating, purchasing, and relying on a policy.

After years of trying, Risk Based Security CISO Jake Kouns finally managed to get cyber insurance the attention he thinks it deserves. He had been submitting ideas for insurance-related talks for the annual Black Hat USA event since 2012 - and had been rejected four times. But at last week's Black Hat in Las Vegas, he led one of the sessions during a dedicated micro summit about cyber insurance.

Interest and attitudes around cyber insurance has changed, according to Kouns, as more security managers and businesses of all sizes recognize its need as part of an overall security strategy. Though PWC estimates only about 30% of companies have cyber-risk insurance or cyber liability insurance coverage, the market continues to grow. According to a recent report by A.M Best, direct premiums written for both standalone and packaged cyber policies grew about 12% in 2018, from $1.8 billion to $2 billion. While this is a bit slower than the past two years, the $2 billion figure is more than double what was written in 2015.

In his session, "Integration of Cyber Insurance Into A Risk Management Program," Kouns walked attendees through some of the best practices and caveats for investing in a policy. Here are some key takeaways for CISOs to consider when evaluating, purchasing, and relying on cyber insurance.

1. If Your Organization Doesn't Already Have Cyber Insurance, It Will
Organizations are increasingly investing in cyber insurance simply because they have no choice, Kouns said. Clients are insisting their partners have insurance for compliance purposes and regulatory requirements. More and more, having cyber insurance is part of contractual requirements, he said.

Kouns also stressed that for smaller organizations that have not put a strong security program in place, cyber insurance is critical and makes financial sense.

"Typical costs for cyber insurance are currently extremely reasonable," Kouns said. "If you're a CISO and you have a breach, what do you want to say? 'Whoops, sorry?' Or, 'We have a partner, let's file a claim.'"

2. Insurance Coverage Is Not a Substitution for a Security Program
Just like you wouldn't drive recklessly in a car simply because you have auto insurance, cyber insurance should not serve as reasoning to tailor back on investing in security strategy and tools. Under no circumstances should a business purchase cyber insurance and assume it is covered without putting the time and investment into a solid security program, Kouns said.

"My concern is this is what some people hear and do. We call this a moral hazard," he said. "Effective security programs cost money."

While cyber insurance may reimburse costs, it cannot mitigate the reputational damage incurred by a breach or a security incident. Insurance will not reinstate trust from clients and customers post-breach.

3. Security Should Get Involved Early in the Insurance Process
While the conversation about insurance is often being led in other financial divisions of a company, such as at the CFO level, the security department should be involved at the outset to help evaluate policies and coverage levels, Kouns said.

"Read the policy, give your input," he said. "Help to fill out the application. I have not seen enough IT security involved in the insurance process. A broker will say, 'Don't worry about talking to your IT staff. I'll fill it out for you.' That's bad.'"

Security staff or the CISO will understand the technical language and definitions in a way that others less tech-savvy and risk-informed cannot. Security is also more qualified to identify important exclusions that may be slipped into the policy and can advise accordingly. In order to ensure the policy has the right inclusions for your specific organization's needs, security needs to be consulted on each step of the evaluation and purchasing process.

4. Ensure the Requirements of a Policy Are Fulfilled So Your Coverage Won't Be Nullified
You've got a policy and now you're covered, right? Think again. You are obligated to fulfill and have in place a number of requirements in order for that policy to cover you in the event of a breach or other security incident.

This brings us back to the importance of security's involvement in the process and a thorough understanding of both the coverage and the policy details. What does your organization need to have in place that it may be overlooking? If the policy requires it, you will be out of luck on coverage in the event of a breach if you haven't made the proper accommodations.

5. Some Elements of Your Incident Response Plan May Need to Change
Kouns stressed that certain steps in an incident response plan may need to be tweaked once a cyber insurance policy is in place. This will include your breach reporting timeline because, as Kouns pointed out, almost all policies have requirements about timely reporting.

Secondly, it is critical to develop your IT plan prior to having to use it – and test it out. While many organizations have an incident response plan in theory, a considerable number have not actually put it to the test. Are you sure yours is up to the challenge if a breach occurs?

Related Content:

Image Source: Krolone via Adobe Stock

 

Joan Goodchild is a veteran journalist, editor, and writer who has been covering security for more than a decade. She has written for several publications and previously served as editor-in-chief for CSO Online. View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Richard F.
50%
50%
Richard F.,
User Rank: Apprentice
8/19/2019 | 7:07:28 PM
Re: Great Article - But There Are Dangerous Traps for Unwary
Thanks for making additional useful points in the Reply.

Actually a number of companies with limits far below USD $5 Million have been caught in this trap. The Montelone Hotel cyber coverage litigation in New Orleans, and eventual referral to arbitration is but one example.  Several Texas companies I know of have also had denied Cyber claims.  they have also then landed in the coverage disputes arbitration morass.  Typically these have been surplus lines carriers, which is a topic for another day. These issues point out why a good Broker and policyholder insurance counsel are important.

I typically see disputed coverage issues raising every possible plausible defense. So while the stated coverage amount appears applicable, where there are coverage denials effectively there is no insurance until those disputes are resolved.  A case I served as a Special Master and later mediator on in USDC in the Eastern District of Texas actually began in the 1980s.  Until about 2015 the Insured company paid the underlying claims and litigation costs itself.  Arbitrations of coverage disputes can also take years, but fortunately not decades.

I believed the audience for the article were not experts in insurance or law. The terms "foreign" and "alien" have specific meanings, but those are not well known outside of the legal and insurance fields.  I have been counsel for a number of "alien" reinsurers.  Again, the specific meanings of obscure terms show why good brokers and lawyers are essential.

The "deposits" I referred to are an aspect of the arbitration process itself.  They apply irrespecive of the  forms of coverage in dispute. Where arbitration is required, and it is common, the parties each must pay their share of the arbitrators fees, the tribunal costs for things like travel etc, and if "administered" the arbitration administrators fees. Many of those deposits are established based on the arbitrator fees for the time they must spend to hear and decide the dispute.  Consider the expense of 3 former judges, or active lawyers or barristers at $750 to $1,000 per hour each. This is in addition to the cost of the parties own counsel, experts, executives etc. Some administrators will charge hourly to be a private "Clerk of Court" for the arbitration. The L.C.I.A. is an example. Other administrators fees and charges are based on the amounts in controversy. 

The conversations definitely should occurr up front.  However, the steady stream of coverage disputes entering the courts and arbitrations, and inconsistent interpretations of similar language by different federal and state judges show that Cyber Insurance is still an unsettled and problematic area. Expert advice is critical!

Anyone interested in copies of public pleadings in the cases I mention is welcome to contact me.   
mcavanaugh1
50%
50%
mcavanaugh1,
User Rank: Strategist
8/19/2019 | 5:09:18 PM
Re: Great Article - But There Are Dangerous Traps for Unwary
On your points...

First, you are correct.  The cyber insurance policies are not standardized.  There is no uniform coverage form like you would find in an Auto Insurance or Commercial General Liability policy.  This is by design in many cases as each carrier looks to provide coverage for the circumstances that they would like to cover.  Many carriers do not know what they are looking to cover so they create restrictive policies with lacking coverage however there are specialty carriers that have developed coverage forms from the ground up to address these exposures.  The non-standard nature of the form allows for that innovation which is otherwise hampered by some of the existing insurance regulation that deals with standardized forms.  The safeguard has to be the insurance agent/broker that helps place the policy for the insured.  It is extremely important to work with an agent/broker that knows what they are talking about or else you may end up with the barebones coverage from an inexperienced carrier.

Second, this only refers to companies with higher limits that have to buy coverage from multiple insurance carriers for the same exposure.  Once you get to 5M+ in coverage you may have to use more than one carrier to get the limits you want in place.  Most companies will never come across the need for an excess tower on a policy. Also, these additional carriers providing the higher layers of coverage specifically cover the same limits & wording as the policy at the bottom of the tower.  The excess layers follow the form of the primary layer so there is no difference in the coverage being provided unless otherwise specifically stated.  It is the responsibility of the insurance agent/broker to point these out if they are even added.

Third, I have a feeling that your comment is referring to coverage arguments between an insured and an insurance carrier.  The Choice of Law provisions in any insurance policy refers to situations of bad faith claims or coverage issues with the insurance carrier not the actual coverage being provided under a cyber policy.

Fourth, the term "foreign insurer" within the insurance industry refers to an insurance company that does not have a location in that specific state not an actual international company.  There are plenty of US based insurance companies that are considered "foreign insurers" under the current regulations.  This does not mean that you are required to arbitrate in another country.  Even if it is an international company ("alien insurer"), they would still have to adhere to the jurisdictions imposed by the policy wording which is generally NY. 

Finally, I cannot speak to the need for a deposit in a Catastrophe claim arbitration.  The Casualty Insurance industry has nothing to do with the Cyber Insurance portion of the industry.

Ultimately, most of the criticisms, commentary and reporting on Cyber Insurance policies does not take the time to look at the entire picture.  The marketplace for Multinational corporations in need of 100M+ in limits is drastically different than the local IT consultant looking to satisfy a contract.  Even within this article there are some misleading statements to do with security requirements.  Most carriers will not require the insured to do anything different than what is disclosed in the application to provide broad coverage without limitations.  The insurance carriers, coverage and concerns require different conversations that can be had by an educated insurance agent/broker to help place the business with the right insurance carrier. 
Richard F.
50%
50%
Richard F.,
User Rank: Apprentice
8/16/2019 | 1:03:05 PM
Great Article - But There Are Dangerous Traps for Unwary
This is a very useful and timely article by a very knowledgible reporter who has done excellent work in this ever changing and confusing field.

Unfortunately there are often even greater surprises concealed within Cyber Insurance Policies and endorsements.

 

First, Cyber Insurance in NOT standardized.  These are "Manuscript" policies with each insurer using its own custom language and provisions.  The "meaning" of the language is NOT uniform.  The same provisions can be interpreted in contrasting ways in different federal circuits and state courts.  Whether your company has "collectible" insurance often depends on what state(s) you are located in.  Of course, that is unless a "Choice of Law" clause specifies the insurance law of a particular state, like New York.

Second, Cyber Insurance is often a "tower" of distinct layers and levels. That means there are separate insurers for different amounts of coverage.  Higher layers often mean foreign insurers with unexpected language and restrictions.  What you may think the Declarations page says you have in insurance is NOT necessarily what your company actually has.  

Third, "Insured" companies are frequently shocked to learn choice of law and arbitration clauses mean no litigation in local courts, no state judges familiar with their domestic insurance law, and no jury trials. Even when local state law appears to clearly prohibit arbitration, such as Louisiana etc., the New York Convention as a U. S. International Treaty overrides state law. That allows foreign insurers like Lloyds, Zurich, Swiss Re etc. to require arbitration in London, U.K., Hamilton, Bermuda etc.

Fourth, many American companies are unaware that where there are foreign insurers in an insurance tower, mandatory foreign arbitration is almost guaranteed. Typically that means any disputes will be decided by 3 arbitrators unfamiliar with technology issues, focused on contract language, sitting in London, and applying New York or English insurance law under the English Arbitration Act. If there is a "Nationality" clause, at least 2 of the 3 arbitrators will NOT be U.S. citizens, or well versed in U.S. state insurance laws.

Finally, "Insured" companies being required to make six figure deposits to simply start an arbitration are common. I have seen clients required to post USD $200,000.00 to file their Hurricane Katrina claims for each arbitration in London.  That meant separate individual arbitrations for each distinct insurer denying coverage. I won't even beging to address the joys of dealing with English High Court "Anti-Suit" injunctions prohibiting the "insured" from commencing or continuing U.S. litigation.

I have decided insurance coverage disputes as an arbitrator or Federal Court Special Master and also represented companies against insurers as policyholder counsel in arbitration and litigation. It is CRITICAL that any company purchasing Cyber coverage in any form read, know and ACTUALLY UNDERSTAND all of the policy language, every endorsement and every exclusion. That rrequires you do that for each separate layer of coverage.  If you see these common traps, negotiate them out!!!!  

Cooperation between the CIO, CFO and company insurance counsel is absolutely essential. Good Insurance Brokers try to help their customers. BUT customers need to remember that their Brokers business ultimately depends on remaining on good terms with those same insurance companies.

Richard Faulkner, J.D., LL.M., F.C.I.Arb.

   OVER THE EDGE
A Virus Walks Into a Bar ...

Source: FORA.tv 

What security-related videos have made you laugh? Let us know! Send them to [email protected].

Cartoon Contest: Bedtime Stories
Flash Poll