Cut Through the Confusion: 5 Steps to the Right Cyber Insurance Coverage
Many small and midsize businesses and law firms are going without cyber coverage, perhaps because of confusion about how to get the right policy. That doesn't have to happen.
March 16, 2018 at 08:00 AM
5 minute read
As companies recognize that cyber risk cannot be eliminated, only managed, they are increasingly looking to transfer residual cyber risks through insurance. Still, many small and midsize businesses and law firms are going without cyber coverage, perhaps because of confusion about how to get the right policy. Despite the undeniable challenges presented by today's cyber insurance market, businesses of all sizes can cut through the confusion and obtain the right cyber insurance for their enterprise by following this five step process:
Step 1: Identify Cyber Risks
The first step in the process is to assess the entity's exposure to cyber perils. Not every company is the same, and the cybersecurity and privacy risks facing an online retailer, for example, would be different from those facing a consulting company.
Companies should take an enterprise-wide approach to this step to ensure that the risks facing all divisions within the business are incorporated into the assessment. Multiple stakeholders within the organization, and potentially some from outside of the organization (technology vendors, for example), should be consulted.
Step 2: Examine Existing Coverage
Next, companies should carefully examine their existing insurance policies to determine how their current coverages match up with the cyber risks that have identified in Step 1. Traditional property and liability policies, as well as crime and kidnap and ransom policies, can contain some protection against cyber risks.
That said, many insurers have taken steps to exclude cyber-related risks under traditional policies and are vigorously fighting cyber claims under these non-cyber forms. Although some businesses have successfully recovered for cyber claims under such policies, relying on them for comprehensive cyber coverage is risky.
It's important to note, however, that express cyber coverage may be included by endorsement to a traditional policy. Because redundancies in coverage can create coverage issues in the event of a claim, companies should take steps to identify any such coverages before buying a cyber policy and reconcile their existing coverage with the cyber form.
Step 3: Applying for Cyber Coverage
Although there is no standard application for cyber insurance, insurers usually ask for similar types of information from the prospective insured. Insurers will inquire as to the company's policies and practices around cybersecurity, data handling, usage, and storage, vendor management and privacy. Companies likely will have to involve a number of stakeholders, including outside service providers, when responding to application questions.
Care should be taken to accurately complete the application, which will become part of the policy if one is issued. It's critically important to seek clarification before responding to any ambiguous or unclear questions.
Applications may require the signature of the company's president, CEO and/or CIO, who must attest to the accuracy of the company's responses. Inaccurate information provided in the application may jeopardize coverage if a claim is later tendered under the policy.
Step 4: Finding the Right Cover in Today's Dynamic Cyber Insurance Market
Next, companies should find a policy that covers the risks identified in Step 1. But because there is no standard cyber insurance policy form—and all policies are not created equal—care must be taken to carefully review the terms of any prospective policy to make sure it's a good fit for the company's needs. Additional factors to consider include the insurer's reputation for handling and paying claims and whether it provides free or discounted cyber risk mitigation services (such as risk assessments, training, and incident response training). Purchasing decisions made strictly on price may ultimately prove to be much more costly.
Although today's dynamic cyber insurance market creates challenges for insurance buyers, it also provides an opportunity to negotiate for better policy terms and coverage tailored to the company's unique cyber needs. Companies should exercise their leverage during the insurance buying process to get the best possible coverage.
Step 5: Post-Coverage Considerations
Once coverage is in place, the insured should take steps to understand and operationalize the various requirements and policy conditions with which it must comply. For example, the policy may require the insured to get the insurer's prior written consent before paying a ransomware demand or hiring a consultant after a data breach. The processes mandated by the policy in the event of a claim also must be understood.
In addition, it's a good practice to periodically monitor and evaluate coverage in light of evolving business needs, such as merger and acquisition activity. The insured also should keep an eye on the changing cyber threat landscape to ensure that its coverage remains adequate. New coverages offered by insurers also should be monitored.
Judy Selby, JD, is a Principal of Judy Selby Consulting LLC and a senior advisor at Hanover Stone Partners LLC. She provides insurance consulting, cyber insurance analysis, and insurance coverage expert witness services, with a particular focus on cyber-related issues.
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View AllTrending Stories
- 1'The Show Must Go On': Solo-GC-of-Year Kevin Colby Pulls Off Perpetual Juggling Act
- 2Legal Speak at General Counsel Conference East 2024: Match Group's Katie Dugan & Herrick's Carol Goodman
- 3Legal Speak at General Counsel Conference East 2024: Eric Wall, Executive VP, Syllo
- 4Battle for Top Talent Accelerates Amid Profit and Demand Surge
- 5Friday Newspaper
Who Got The Work
Michael G. Bongiorno, Andrew Scott Dulberg and Elizabeth E. Driscoll from Wilmer Cutler Pickering Hale and Dorr have stepped in to represent Symbotic Inc., an A.I.-enabled technology platform that focuses on increasing supply chain efficiency, and other defendants in a pending shareholder derivative lawsuit. The case, filed Oct. 2 in Massachusetts District Court by the Brown Law Firm on behalf of Stephen Austen, accuses certain officers and directors of misleading investors in regard to Symbotic's potential for margin growth by failing to disclose that the company was not equipped to timely deploy its systems or manage expenses through project delays. The case, assigned to U.S. District Judge Nathaniel M. Gorton, is 1:24-cv-12522, Austen v. Cohen et al.
Who Got The Work
Edmund Polubinski and Marie Killmond of Davis Polk & Wardwell have entered appearances for data platform software development company MongoDB and other defendants in a pending shareholder derivative lawsuit. The action, filed Oct. 7 in New York Southern District Court by the Brown Law Firm, accuses the company's directors and/or officers of falsely expressing confidence in the company’s restructuring of its sales incentive plan and downplaying the severity of decreases in its upfront commitments. The case is 1:24-cv-07594, Roy v. Ittycheria et al.
Who Got The Work
Amy O. Bruchs and Kurt F. Ellison of Michael Best & Friedrich have entered appearances for Epic Systems Corp. in a pending employment discrimination lawsuit. The suit was filed Sept. 7 in Wisconsin Western District Court by Levine Eisberner LLC and Siri & Glimstad on behalf of a project manager who claims that he was wrongfully terminated after applying for a religious exemption to the defendant's COVID-19 vaccine mandate. The case, assigned to U.S. Magistrate Judge Anita Marie Boor, is 3:24-cv-00630, Secker, Nathan v. Epic Systems Corporation.
Who Got The Work
David X. Sullivan, Thomas J. Finn and Gregory A. Hall from McCarter & English have entered appearances for Sunrun Installation Services in a pending civil rights lawsuit. The complaint was filed Sept. 4 in Connecticut District Court by attorney Robert M. Berke on behalf of former employee George Edward Steins, who was arrested and charged with employing an unregistered home improvement salesperson. The complaint alleges that had Sunrun informed the Connecticut Department of Consumer Protection that the plaintiff's employment had ended in 2017 and that he no longer held Sunrun's home improvement contractor license, he would not have been hit with charges, which were dismissed in May 2024. The case, assigned to U.S. District Judge Jeffrey A. Meyer, is 3:24-cv-01423, Steins v. Sunrun, Inc. et al.
Who Got The Work
Greenberg Traurig shareholder Joshua L. Raskin has entered an appearance for boohoo.com UK Ltd. in a pending patent infringement lawsuit. The suit, filed Sept. 3 in Texas Eastern District Court by Rozier Hardt McDonough on behalf of Alto Dynamics, asserts five patents related to an online shopping platform. The case, assigned to U.S. District Judge Rodney Gilstrap, is 2:24-cv-00719, Alto Dynamics, LLC v. boohoo.com UK Limited.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250
