Cyber Insurance In 2019
In an online article for CPO Magazine, Scott Ikeda has a caution for cyber insurance buyers. The title says it all: “Cyber Insurance: You Get What You Pay For”. The complete article is at https://www.cpomagazine.com/cyber-security/cyber-insurance-you-get-what-you-pay-for.
Citing a recent study by FM Global and expert comments at the Black Hat USA security conference in Las Vegas, Ikeda describes fierce competition and price wars in the cyber insurance market. Some insurers cut prices while reducing coverage; others try to capitalize on publicity about data breaches but do not understand cybersecurity (what used to be called “innocent capacity” when I was a young underwriter).
The FM Global survey of 105 CFOs at companies with over $1 billion annual revenue showed 45% expected cyber insurance to cover most of a data breach loss, and 26% expected full coverage. Depending on how policies are drafted, this may be too much to expect. Coverage limited to liability, customer notification and replacement of lost data does not go far enough. The cost of business interruption, regulatory compliance and damage to reputation can and should be insured. For businesses relying on credit card sales, PCI/DSS fines and penalties can be heavy and should also be insured. Policies should cover recent changes in cybersecurity regulations.
Speakers at the Black Hat conference stated that both customers and insurers do not fully understand what cyber policies should contain. Jeffrey Smith of Cyber Risk Underwriters estimated that only about 20 insurers really understand how to assess cyber risk. While almost all claims are being paid, this may be because customers have less insurance than they need.
Even if customers buy a broad range of coverage, they must be careful to check exclusions which may result in claim denials. Examples of these exclusions are failure to take “reasonable” steps to maintain security and failure to encrypt data on mobile devices. War exclusions should at least have an exception for cyber terrorism.
The first step in buying cyber insurance is to complete an application. The organization’s IT department or service provider should explain technical details. Before buying a policy, review a specimen form and try to negotiate the broadest coverage. Once the policy is in place, include claim reporting requirements in the organization’s incident response plan. Train employees to minimize data breaches.
At Beacon our focus is providing the best cyber insurance for our clients, not the cheapest. Call us to discuss your insurance needs.