Printed from BusinessInsurance.com

Cyber insurance policies vary widely and require close scrutiny

Posted On: May. 10, 2015 12:00 AM CST

Cyber insurance policies are a lot like snowflakes, a policyholder attorney says.

There are about 40 to 50 insurers that offer multiple products — all different — “and just a few words can make all the difference” whether or not a policyholder has excellent coverage, said Roberta D. Anderson, a partner a K&L Gates L.L.P. in Pittsburgh.

Ms. Anderson spoke during at a session on advancements in cyber risk insurance late last month at the Risk & Insurance Management Society Inc.'s annual conference and exhibition in New Orleans.

While point-of-sale retailers, a category hit hard by cyber attacks, are seeing retentions and premiums increasing 100%, the premiums and negotiations for other industries are relatively unaffected, and coverage is getting broader, she said.

Ms. Anderson said policyholders should be sure their cyber coverage also applies to paper records and rogue employees, who often precipitate breaches.

Conduct exclusions applying to rogue employees in policies should be drawn “as narrowly as possible,” she said.

Also, pay attention to sublimits, because a $10 million primary policy is likely to have a $2 million or $5 million sublimit for regulatory actions, and policyholders want to make sure there is coverage available for fines and penalties to the extent permissible by law.

“Make sure the sublimit is sufficient,” Ms. Anderson said.

When it comes to network interruption coverage, “The important question to ask is: Does it cover you for contingent business interruption? The insurance industry is concerned about aggregation risk” should there be a cloud-related event.

“It's very, very important to make sure that the contingent business interruption coverage is sufficiently broad” to cover for cloud failure, Ms. Anderson said.

She recommended using the cyber framework proposed by the Gaithersburg, Maryland-based National Institute of Standards and Technology.

The NIST framework “is a really good vehicle for companies to get a good handle on the current state of cyber risk management,” Ms. Anderson said.

Although the framework is directed at critical infrastructure and is voluntary, “I think it's going to become a de facto standard for risk management,” she said.

Liability with respect to regulatory actions also is important because of increased scrutiny by regulators, Ms. Anderson said.

She noted that the U.S. Securities and Exchange Commission, the Federal Trade Commission and the Federal Communications Commission all have expressed interest in cyber breaches.

“One of the things the SEC is asking about, and asking a lot, is whether you have cyber insurance,” Ms. Anderson said.

Before obtaining cyber insurance, risk managers should conduct a risk assessment, determine where the gaps in coverage exist, compare their various policies, find any shortcomings and “tailor the cyber policy to fill those gaps,” said Timothy J. Flaherty, Pittsburgh-based manager of insurance risk management at Alcoa Inc., who also spoke during the session.

Face-to-face meetings with insurers are critical, and the topic of cyber exposures should be introduced to senior management. “Keeping them involved is critical,” Mr. Flaherty said of senior management.

Another key topic that risk managers should consider is the retroactive coverage date on their cyber policies, which can be obtained for as long as two years, he said.

Risk managers also should check with their corporate development team “to be sure if a potential acquisition is out there,” Mr. Flaherty said. The issue is how the acquisition's policies and buying company's policies align, he said.

In addition, make sure the cyber insurance “fills the gaps for any other policies you have in your risk management programs,” Mr. Flaherty said.

But negotiating cyber insurance can be a lengthy process, he said.

“This can be very protracted,” he said. In Alcoa's case, he said, the company's first cyber policy, which was obtained a year ago, took eight months from the time its purchase was first considered to being bound, Mr. Flaherty said.