Cyber Insurance differentiation
The start of 2017 has seen a nearly constant media trail covering cyber attacks and discussing the risks involved with hacking for businesses small to large and critical infrastructure networks. Yahoo is still in damage control and desperately trying to stop the value of their current buyout with Verizon from slipping any further. Verizon is rumored to pull out of the monstrous takeover for mainly cyber security and reputation concerns.
Many business owners are beginning to recognize the risk and impacts coming their way as a result of media coverage and internal discussions but are still unsure of the specifics regarding cyber insurance. With many options available and a broad range of difference between some insurer details it is easy to take the cheapest stand alone policy or rely on a ‘cyber extension’ added onto another existing insurance policy. For example, adding a $200,000 sub-limit onto a directors & officers or management liability policy. While these options may suit some businesses at this stage, we recommend asking yourself the following questions to assess your companies cyber insurance policy requirements.
What was disclosed in the proposal?
Most businesses are familiar with insurance proposal forms or applications. How a business discloses their operations has great impact on the insurance policies written based on these details. The duty of disclosure states that any misrepresentations, omissions or incorrect statements in the application are grounds for withdrawal of the policy or a claim being declined. Organisations being left to weather the storm due to incorrectly disclosed activities is nothing new and has been argued by insurance providers on countless occasions.
Questions regarding turnover, staff numbers, products, assets, etc are all standard and easily answered but cyber insurance proposal forms have been asking questions surrounding data retention, internal security protocols, penetration tests and audits, privacy policies and more which have been raising eyebrows lately. Some proposal forms are asking which third party vendors are being used (cloud, email & network service management) and if their security procedures are in line with industry security compliance requirements.
Taking the time to discuss the proposal requirements with a counsel of staff and broker will no doubt help to ensure accurate information has been disclosed for your industry specific business situation.
Is this the right broker?
Having a broker with a keen interest in cyber security and your industry is key, we recently discussed the importance of having a cyber-savvy broker, here.
Arranging the most appropriate policy depends on accurate information from your staff and the best advice from your broker. Your adviser should be aware of industry specific litigation precedents as cyber insurance policies are still relatively new in court precedents and terms vary between insurance providers. Knowing the market differences in policy coverage from providers and how to negotiate tailored terms for your unique business needs is also important to keep in mind when assessing your broker. This will help to reduce gaps in cover which would be costly at claim time.
In the event of a claim, you want to be confident your business will be taken care of promptly and professionally. The majority of policies have approved third party vendors which will be used should a claim incident arise but knowing the best attorneys, security analysts, forensic investigators and other response providers is something your broker should be aware of and strive to recommend.
Protect your business with Cyber Insurance Australia.
What are the gaps in coverage?
For most business insurance policies there are certain industry specific clauses and endorsements which if not reviewed can cause large gaps in policy cover, cyber insurance is no different. Understanding and regularly disclosing the risks your business faces will help your adviser make the best amendments and decision for cover.
Some insurers are offering a cyber liability sub section of cover which can easily be added onto a preexisting management liability or directors and officers policy. These additional sections usually have very restricted policy ‘triggers’ and a lower limit of liability than is in line with the national cyber attack average cost of around $276,323. As a result Cyber Insurance Australia recommends arranging a stand alone cyber insurance policy with a sufficient limit of indemnity. That may be the average cost but some organisations claim costs have certainly eclipsed this figure as can be seen in recent claim examples, here.
First party costs are a standard part of these polices however third-party costs can be excluded. There have been a number of data breach class action law suits against organisations not just from disgruntled members of the public who have had information leaked, there have been a handful of B2B client’s whose own business livelihood relies on services offered by the first party organisation. In this example, Amazon’s widely used web servers were effected by a large storm which in turn caused a business disruption to a number of high profile clients such as Westpac, Dominos, Menulog and Foxtel Go. Under a traditional business interruption policy this disruption would not be covered leaving businesses to cover their own expenses.
Having your broker understand how your business operates in the digital world is necessary for accurate cover, the 2016 US case against P.F. Changs illustrates the importance of a greater level of industry knowledge required from insurers and brokers. The restaurant chain requested cover for PCI-DSS assessments but were not able to prove that request was correctly covered in their cyber insurance policy. As a result, Changs was not covered for over $2 million in fees, assessments and included the costs of notifying consumers, replacing cards and reimbursing fraudulent charges. These costs could have been avoided by a carefully worded amendment to the policy terms in line with the clients operations.
It is important to note that crime policies can potentially answer the call from a cyber event but these policies may not cover the complex and unknown details associated with cyber attacks. For example, human error is still the number 1 cause for malware attacks. In a recent US court of appeals decision, the court agreed with the insurer’s denial of cover due to the exposure being human failure to investigate and not a direct result of the malicious email. The decision sets a dangerous precedent for Australian businesses relying on existing policies to cover themselves.
Cyber Insurance Australia recommends reviewing policies annually to cover new business activities and threats as even the best policies should be reviewed regularly.
What will activate the cyber insurance policy?
Nightmare stories of insurance companies declining to cover something which the business owner thought was part of their policy is nothing new. The first question usually asked to your broker or adviser is always “are we covered?”. Understanding when and why your insurance policy will kick in and what is left uncovered is important and should always be discussed with your broker. We recommend having a meeting between your information security staff and your potential broker regarding industry specific risks and business operations to confirm any possible gaps in cover.
With the recent mandatory data breach notification bill being passed, one of the important questions is weather the policy has cover for suspected breaches and associated investigations or strictly confirmed breaches. Investigating a potential breach and reporting to the appropriate government body can be costly and time consuming. Due to the new breach law it is best practice to investigate any suspected breach at length as the bill states any business caught not to be reporting a breach can be fined between $360,000 and $1.7 million.
Confirming if the policy is occurrence based or only applies upon discovery of a breach is on of the most important factors when reviewing cyber insurance cover. Yahoo and a range of high profile organisations have been victims of massive data breaches but even at such a large corporate level these breaches were only discovered a shocking years later when investigating a different suspected breach.
Protect your business with Cyber Insurance Australia.