Questions to Ask Your Cyber Insurer
As has been said many times but bears repeating, cyber security – and therefore cyber insurance – is complicated. A recent post at https://www.jdsupra.com/legalnews/cyber-security-insurance-nine-questions-91584 lists nine questions to ask your cyber insurer. Depending on your operations, you may have more than nine questions, but these (with some comments of my own) should be among them:
- Does your policy cover vendor’s errors? Read the definition of “your computer system”; it should include systems operated on your behalf and cloud services.
- Does it cover data breach from any source? Both outside cyber attacks and employee acts or omissions should be covered. (If computer fraud is not part of your Crime coverage, it can be insured in a Cyber package.)
- Are there exclusions or limitations on cloud related risks? As mentioned above, cloud services should be fully covered to the extent the cloud provider does not assume liability.
- Is there retroactive coverage? Cyber liability is usually written on a claims made basis. If the policy also states that a covered incident must occur during the policy period, a prior unidentified data breach is not covered. Only breaches known to an individual responsible for such knowledge (many Cyber policies will define “responsible individuals” using various terms) prior to policy inception should be excluded.
- Are there geographic limits? Coverage should be worldwide.
- Are physical breaches covered? Telephones, security cameras and other devices in the “Internet of Things” can be hacked. If physical damage is excluded from Property insurance, your Cyber policy should have first party coverage. (Don’t overlook business interruption if you do much business online – standard forms have limited coverage for interruption of computer operations.)
- What is the insurer’s notice procedure? Every policy includes conditions on how and when to report a claim or potential claim.
- Can I get premium credit for good cyber security management? (Conversely, is there an exclusion for failure to follow established security procedures?)
- Does my policy cover fines and penalties? If you depend on credit or other payment cards, you need coverage for PCI-DSS assessments. If your business is regulated, the policy should cover regulatory fines and penalties (note – sub-limits may apply). You should also have coverage for legally required services to data breach victims.
To answer these and other questions, you or your broker should read your policy carefully and be aware of the details which may be the difference between a covered and uncovered loss.