Increasingly more companies are aware that they cannot afford to go without Cyber Liability insurance. A robust Cyber insurance policy serves as an important risk transfer mechanism. It helps with the costs to notify and provide credit monitoring for individuals affected by a breach. It can also be designed to address the costs of forensics to determine what data has been taken and legal fees for understanding how to comply with the myriad of notification statutes as well as regulatory fines and penalties. These policies can also help defray the cost of defense should the organization be sued over the event. In addition, Cyber insurance motivates customers wishing to be insured to follow good cyber security practices as eligibility for insurance.
What is important with Cyber insurance is securing the right type of policy – looking inside the policy to understand fully what is and isn’t covered – as there are many Cyber policies on the market now from which to choose. Policies vary widely with different coverage caveats, exemptions and limitations. For example, state-sponsored cyber attacks are not covered Cyber Liability insurance, although this area is evolving as insurers begin to realize how difficult it is to attribute an attack, no matter how sophisticated, to a nation state rather than some other group.
In addition, the amount of Cyber insurance a company can purchase will vary depending on a company’s financials, industry, operations, and risk exposures. There also may be sub-limits for different categories, such as forensics and notification breach costs, regulatory fines and penalties.
Most policies also include a time element deductible to trigger the business interruption coverage in addition to dollar deductible. For example, a Cyber policy might require that a network be impaired for more than eight hours due to a security failure for the business interruption coverage to apply.
Insurers generally offer retroactive Cyber coverage that extends back in time one, two, five or 10 years. If an organization’s coverage has a retroactive date of the year 2000, and a breach that happened in 2000 was just discovered in 2014, the organization would have coverage. If it began before the year 2000, then coverage would not be available.
Also critical is to see how devices are defined in a Cyber policy. If a computer system is defined as a computer system owned by the organization, the organization may not be covered for employee-owned devices that might be the cause of the breach.
Caitlin Morgan provides a broad spectrum of Cyber insurance solutions and can help you secure a policy that fits your client’s needs. We can also assist you in detailing the coverages available and how each is triggered, any exclusions and other limitations that are important for insureds to understand. Give us a call at 877.226.1027.