Questions to Ask Your Cyber Insurer

Questions to Ask Your Cyber Insurer

July 3, 2018 Business Insurance and Risk Management, The Beacon Blog 0 Comments

As has been said many times but bears repeating, cyber security – and therefore cyber insurance – is complicated. A recent post at lists nine questions to ask your cyber insurer. Depending on your operations, you may have more than nine questions, but these (with some comments of my own) should be among them:

  1. Does your policy cover vendor’s errors? Read the definition of “your computer system”; it should include systems operated on your behalf and cloud services.
  2. Does it cover data breach from any source? Both outside cyber attacks and employee acts or omissions should be covered. (If computer fraud is not part of your Crime coverage, it can be insured in a Cyber package.)
  3. Are there  exclusions or limitations on cloud related risks? As mentioned above, cloud services should be fully covered to the extent the cloud provider does not assume liability.
  4. Is there retroactive coverage? Cyber liability is usually written on a claims made basis. If the policy also states that a covered incident must occur during the policy period, a prior unidentified data breach is not covered. Only breaches known to an individual responsible for such knowledge (many Cyber policies will define “responsible individuals” using various terms) prior to policy inception should be excluded.
  5. Are there geographic limits? Coverage should be worldwide.
  6. Are physical breaches covered? Telephones, security cameras and other devices in the “Internet of Things” can be hacked. If physical damage is excluded from Property insurance, your Cyber policy should have first party coverage. (Don’t overlook business interruption if you do much business online – standard forms have limited coverage for interruption of computer operations.)
  7. What is the insurer’s notice procedure? Every policy includes conditions on how and when to report a claim or potential claim.
  8. Can I get premium credit for good cyber security management? (Conversely, is there an exclusion for failure to follow established security procedures?)
  9. Does my policy cover fines and penalties? If you depend on credit or other payment cards, you need coverage for PCI-DSS assessments. If your business is regulated, the policy should cover regulatory fines and penalties (note – sub-limits may apply). You should also have coverage for legally required services to data breach victims.

To answer these and other questions, you or your broker should read your policy carefully and be aware of the details which may be the difference between a covered and uncovered loss.

About the Author

Harry Cylinder

Harry Cylinder, CPCU, ARM has spent nearly fifty years in the insurance industry, the majority of the time as a consultant. He has been employed by The Beacon Group of Companies since 2008, specializing in the review and analysis of property and casualty coverage forms. Mr. Cylinder has been reviewing policy forms as they have evolved over the past decades. In 2008 he published an article in the CPCU Journal which was the first description of cyber insurance coverage for a general insurance audience. Since that time he has regularly written on cyber and other topics for The Beacon Companies’ blog.