Tag Archives: Cyberinsurance

Cyber Insurance Demand Heats Up

Insurance brokers and industry attorneys say that cyber insurance is heating up.

They are seeing both an uptick in CLAIMS and an uptick INQUIRIES, likely as a result of an uptick in attacks.

Actually, the uptick in attacks is more like a flood since Covid-19 came around. Note that many of them won’t be detected until business as usual resumes – whenever that is.

The issue is that the move to work at home has increased the attack surface, for a lot of reasons, including the fact that companies did not have the time to plan for it.

At least some of you have cyber policies, so here are some questions to be asking. For those of you buying, this is a great time to ask questions.

First of all, do you have the right coverages. We have seen many policies that do not include ransomware coverage. Kind of a problem these days.

Insurance broker Marsh says that they are not seeing Covid-19 exclusions (or more generally pandemic exclusions) – yet.

But they are seeing carriers asking more questions – for example about disaster recovery and business continuity – things that would be very important to have during a ransomware attack and which, if not in place, will definitely cost the carrier a lot of money to spin up in real time.

Aon says they are seeing more scrutiny during underwriting. The carriers are asking about whether prospects have adequate security measures in place for remote working.

Then there is that wonderful catchall – do you maintain reasonable security measures? That is something that your lawyer and your insurance company’s team of lawyers can argue about for a long (expensive) time.

Zurich insurance says that businesses who are dealing with the pandemic should focus on risk mitigation and conduct cyber risk assessments to identify their specific risks.

Then there are basic questions like the definition of a computer network. Is your employee, using his or her personally owned computer, running on his or her personally owned WiFi connection, considered part of your computer network? What about personally owned hardware? Is it covered?

Whether the carrier wins that argument or not, they may try to wear you down.

And you need to understand what coverage you have when it comes to breach response costs. There may be sub-limits and restrictions and those costs may be deducted from the total coverage available.

Will there be coverage if your employee’s home WiFi was compromised years ago, the employee didn’t do anything to secure it or detect the breach and you get hit for a CCPA breach lawsuit for data leaking out that way? Running, potentially, in the millions.

These are all risks that you need to understand and before a breach would be a really good time to do that.

Credit: Law360

Is Cyber Risk Insurance a Cure?

Let me cut to the chase – the answer is no.  It is a way to help pay for the damage, but that is about all.

In the article referenced below, the author thoughtfully explains the role of cyber risk insurance –  a post-fail risk offset.

The key word there is fail.

Failing in the sense of failing to avoid the breach in the first place.

The after affects of most breaches is damage control and lawsuits that go on for years.  Some percentage of companies – a small percentage – go out of business after a breach.  Usually there are scapegoats – someone or some people have to be fired.

While cyber risk insurance can help cover the costs of ongoing litigation, it won’t pay for the fact that executives are distracted for years.  Depending on the cost of the litigation, it might not even pay for all of the costs of litigation.  It won’t pay for you to find a new job and it won’t make customers come back to your brand.

Cyber risk insurance is an important tool but just a tool.  Like every other tool, it is important that it is the right tool.  While you can probably bang in a nail with a screwdriver, the results are likely to be sub-optimal.

And, since cyber risk insurance is typically not regulated, it is important that you get a hammer if you need a hammer.  Nothing is worse than making an insurance claim and having the insurance company tell you that it is not covered.  In the case of cyber risk insurance this happens more often than with some other forms of insurance.  This doesn’t mean that cyber risk insurance is useless, it just means that you need to buy from someone who is an expert in the area when you are buying coverage.  My first question of an insurance broker that you are considering using to buy cyber risk insurance is how many cyber risk policies did you write in, say, the last 3 months and what is the total dollar coverage of those policies.  Insurance sales people are commissioned.  If cyber risk insurance represents a small part of their paycheck, you can figure out the rest.  If cyber risk is not their primary focus, they are unlikely to take the time to become experts in the area.  It is a bit of a wild west.  You are pretty much on your own.

All that being said, it is much better to have the coverage in the unfortunate situation that you need it – it is just not a replacement for doing things right.

Most of the time, cyber crime is an opportunistic crime.  Believe it or not, Equifax was not specifically targeted.  But because they had a horrible cybersecurity program, they have spent over a billion dollars recovering from it.

I don’t think they had a billion plus dollars in insurance coverage, so insurance will not make them whole and it is unlikely to make you whole.  It will reduce the pain, but that is not the same time.

So what should you do?

#1 – implement a great cybersecurity and privacy program

#2 – get some cyber risk insurance because stuff happens.

But do it in that order.

Source: Dark Reading