A strong cyber insurance program is a critical risk management tool for companies, regardless of size or industry focus. When properly crafted, cyber insurance should protect a company against the costs of investigating cyber incidents, responding to “cyber extortion” demands and business interruptions, and dealing with claims that often come as a result of breaches.
We share some practical tips and key considerations for building a strong cyber insurance program below.
Start by Retaining a Good Broker. You should always choose a well-regarded insurance broker with a deep base of experience and expertise as well as a focus on cyber insurance. Choosing the right broker sets the tone for the overall quality of the insurance program, both during the policy negotiation and placement phase and later in the event of incidents or claims.
The Application Process. Applying for cyber insurance can be time-consuming and requires extensive input from numerous stakeholders in the company, including legal, IT, and finance. We strongly recommend that you take the time to understand and fully respond to all underwriting questions and involve the most knowledgeable individuals in your organization to confirm the accuracy of the answers. Insurers may scrutinize the accuracy of application responses in the event of a cyber incident. Having a carefully vetted insurance application in place can help minimize an insurer’s ability to argue that a company was not forthcoming about its operations during the underwriting process.
Picking the Right Insurer. The good news is that the cyber insurance market is highly competitive and there are a number of reputable insurers competing on the basis of price, retention, coverage enhancements, and other features. Although premiums are an important factor, you should also ask your broker and legal counsel about the breadth of coverage being offered and the insurer’s reputation for handling claims. It is crucial that the insurance comes from well-rated and experienced insurers knowledgeable about cyber exposures and willing to partner with your company in the event of an incident or claim.
Know Your (Policy) Limits. A common way to determine an appropriate amount of cyber insurance coverage is through the “benchmarking process”, in which a broker will compare insurance limits of peer companies to generate a suggested range of limits. Company-specific factors such as type of business, size of customer base, types of data held, and regulatory and counterparty requirements, in addition to market trends such as recent settlement and judgment data, are typically considered in the analysis. (Remember, a cyber policy typically has a wide range of coverages, so benchmarking needs to account for many or all of those coverages potentially being triggered by a cyber incident.) Additionally, certain cyber coverages, such as e-crime coverage, are offered only as “sublimits” (an amount less than the full policy limits), so you should make sure any sublimits under your policy are sufficient for your company’s needs.
Building the Program. Cyber insurance is not a “check the box” kind of coverage. It can cover a wide variety of operational risks, typically integrated into one master policy. Coverage can include investigation and remediation of cyber incidents, cyber extortion demands, e-crime loss, data restoration costs, business interruption loss, and claims brought by third parties arising from cyber incidents or data theft. Cyber insurance can also include technology “errors and omissions” coverage, intended to respond to customer claims relating to your company’s technology services or products. A good broker should proactively advise as to which coverages are recommended for your company’s risk profile.
Negotiating the Policy. Cyber insurance policies are often heavily negotiated contracts, and starting the negotiation process early is key. Each insurer typically uses its own unique policy form, often modified by various “endorsements” that can improve the scope of coverage. The proposed policy materials should be carefully reviewed and negotiated by your broker and legal counsel to ensure that the policy language is market-competitive and that the different coverage components work well together.
A Word About Choice of Professionals. Many cyber insurance policies require insureds to select from preapproved “panel” provider lists. Consider which providers (such as breach counsel or forensic investigation firms) you want to work with in the event of a cyber incident or claim. Selection of alternate providers, including counsel, may require a discussion with the insurer, including with respect to insurer-placed caps on hourly billing rates.
Reassess, Reassess. Cyber insurance coverage should be carefully reassessed on a periodic basis, usually in conjunction with the policy renewal cycle, to maintain competitive coverage tailored to your company’s needs. Generally, in a year’s time, policy enhancements, insurance markets, regulatory and litigation climates, as well as your company’s business, geographic footprint, and risk profile, can change. Those types of developments warrant a fresh evaluation of your company’s cyber insurance needs.
Conclusion
Building, maintaining, and effectively using cyber insurance requires specialized knowledge and collaboration between your company and its advisers. The bottom line: in our experience, there simply is no such thing as a one-size-fits-all cyber policy – that coverage should be reviewed and tailored to your company’s specific needs.
This informational piece, which may be considered advertising under the ethical rules of certain jurisdictions, is provided on the understanding that it does not constitute the rendering of legal advice or other professional advice by Goodwin or its lawyers. Prior results do not guarantee similar outcomes.
Contacts
- /en/people/m/mukherjee-brian
Brian H. Mukherjee
Counsel