As outside insurance, risk management and coverage counsel for companies that run the gamut from small start-ups to Fortune 100 global conglomerates, we work with a lot of clients and brokerages on cyber insurance policy procurements, renewals and claims. Most of our clients have agreements with brokers that address the different services that will be provided for procuring insurance and to handle claims. In our experience, there are a few things that the best brokers do to help their clients navigate the cyber risk landscape. Here they are:

Understand — and anticipate — the costs of a data breach 

We all know the common refrain that it is not a matter of “if” your company will be breached but “when.” And when that occurs, the first question executives and board members ask is “How much is this going to cost us?” 

Fortunately, there are several sources that brokers can share with their clients to ensure they’re informed as to what these incidents cost so they can be better informed when deciding what cyber insurance limits to purchase. 

First, the best brokers share benchmarking information with their clients as to what other, similarly situated companies in that industry are purchasing for cyber insurance limits. 

Second, they point their clients to reliable secondary sources, such as the annual IBM “Cost of a Data Breach Report.” The 2023 report found that the average cost of a data breach reached an all-time high of $4.45 million globally. In the United States, it was $9.48 million. The average cost of a mega breach was far larger: $36 million for a breach involving 1 million to 10 million records and $332 million for a breach involving 50 million to 60 million records. 

Third, the best brokers help their clients consider what a business income or reputation loss may look like in the aftermath of a major cyber event. For manufacturing, retail and service provider companies, ransomware attacks or voluntary network shutdowns to neutralize the threat actor can be far more expensive than incident response and notification costs combined. Thus, the best brokers encourage their clients to consider retaining a forensic accountant to estimate the potential cost of a shutdown. These loss estimates will better inform a policyholder on limits they need to buy. 

Set up a smooth renewal process

While clients must lead the renewal process because they are in the best position to understand their business needs, exposures, risks and finances, and ultimately control what is purchased, brokers should help them understand the process and ensure they have all the information they need.

This begins by ensuring the client starts early and allowing sufficient time — often at least several months — for the renewal process to play out. Brokers should provide new forms and endorsements well in advance of any binding deadlines to allow time for clients to review and understand any changes; encourage all relevant personnel at the company to be involved in the renewal and application process, such as IT, legal, risk and finance teams; ensure the client understands the application questions and answers applications fully; and explain how inaccurate answers or omissions can impact coverage. Indeed, in many jurisdictions, a misrepresentation in the application, even if unintentional, has the potential to void coverage. 

The best brokers also help clients anticipate potential underwriter follow-up questions and ensure they are prepared for underwriting calls and bring all the right internal experts to the calls. 

Finally, they analyze the policy language of each specimen policy and work with the client and its in-house or outside counsel to seek additional endorsements, enhancements or manuscript language as appropriate. 

Cyber insurance is not a one-size-fits-all product, nor should it be. Policies should be tailored to each policyholder’s unique risk profile and each insurer’s risk appetite. And, all parties should work to avoid ambiguous policy language so that they have shared expectations about how the policy will respond in those critical first hours and days following a breach. The best brokers ensure their clients understand not only pricing differences between quotes, but also how differences in policy language, sublimits, retentions, coinsurance, waiting periods, vendor panels and endorsements will impact coverage and incident response. 

Ensure compatibility 

The best brokers make sure the policyholder’s incident response plan works harmoniously with the policy. Sophisticated policyholders have well-developed and well-practiced incident response plans, which typically call for the retention of specific vendors, such as cyber incident response legal counsel, crisis communications/public relations firms, and incident response IT vendors. Oftentimes, these are vendors that the client has a longstanding relationship with. Unfortunately, we have seen many situations where a new client’s cyber insurance policy did not conform with the company’s existing incident response plan so that the client may have hired unapproved vendors, for whom the insurer disputed coverage, after the cyberattack. 

Brokers should ask clients who their preferred vendors are and confirm they are on the proposed insurer’s panel or are otherwise pre-approved on the policy by endorsement. 

Avoid privilege issues 

The best brokers understand the legal ramifications of their role, including most notably as it concerns protecting clients from a privilege waiver. A policyholder and its insurer share a goal in minimizing potential liabilities, such as claims and regulatory actions, arising from a cyber incident, which gives rise to a “common interest” that, in most situations, protects the disclosure of privileged information between the two. 

In many cases, this “common interest” does not extend to brokers. Some courts have found the attorney-client privilege or the work product protection is waived by the inclusion of the broker or claims advocate in communications between an insured and its attorneys about legal analysis or strategy. 

Several court decisions discuss this issue because third-party claimants have sought communications between policyholders and brokers. 

Thus, the best brokers and claims advocates take care to protect their clients and avoid setting up a potential privilege waiver situation. They educate clients on how their inclusion on calls and written communications about legal strategy could impact privilege. 

Traditional coverage

Finally, when a breach occurs, the best brokers and claim advocates remember to consider traditional policies such as crime; kidnap, ransom and extortion; and property that may provide additional coverage. Losses resulting from fraudulent transfers, social engineering schemes and business email compromises, may solely be covered under standard or endorsed insuring agreements to a crime policy, rather than a cyber or technology errors and omissions policy.

These other sources of recovery become particularly important where the policyholder’s cyber insurance limits are insufficient to cover the fall-out of a major cyber event. The best brokers know that some K&R policies provide sublimited coverage for cyber extortions and ransomware attacks. They also know that policies such as property, pollution, commercial general liability and professional liability may have endorsements that provide sublimited coverage for certain cyber risks and associated costs. They will also look to D&O insurance to potentially cover follow-on litigation. 

In sum, the best brokers understand their clients’ unique business and risk profiles in order to help put them in the best position to purchase the best coverage to protect against the ever-evolving cyber threats. 

Andrea DeField is a partner and co-lead of the cyber insurance practice at Hunton Andrews Kurth LLP in Miami. She can be reached by email at adefield@HuntonAK.com. Kevin Small is counsel in the firm’s insurance coverage group in New York. He can be reached at ksmall@HuntonAK.com.