Companies are exposed to real cybersecurity threats on a nearly daily basis – yet, 80-90 percent of companies with revenues below $1 billion have no cyber insurance, according to the insurance data firm Advisen. While researching policies and having a cybersecurity plan in place is a good start, it is advisable to note what is not included to make sure your company is well-covered.
Here are some issues that small-cap boards should keep in mind as their companies consider purchasing cyber insurance.
Existing insurance. The first inclination of many boards is to assume that other existing insurance policies, such as director and officer (D&O) or commercial general liability (CGL) will cover typical first-party claims (i.e., direct costs incurred by a company due to a data breach like forensic investigation, data loss, business interruption, data remediation, PR, notifications, etc.) and third-party claims (i.e., liability arising out of the failure to maintain/store private information, etc.). Counsel’s advice should be sought long before a breach is discovered, inasmuch as D&O and CGL policies are often not designed to cover these (or other) first- and third-party claims arising out of cyber breaches.
Relevant, experienced counsel. It’s surprising how often corporate policies are purchased without experienced legal advice—especially in smaller companies. Given the complexities associated with cyber breaches and the relative novelty of cybersecurity and cyber insurance, companies should seek the advice of counsel that have relevant, material, and recent experience with cyber insurance.
Garbage in, garbage out. Cyber insurance is a quickly evolving industry. Unlike many other areas of commercial insurance, there is a comparative paucity of cyber breach actuarial data. Consequently, many major carriers are conflicted: they would like to participate in a potentially lucrative segment, but they are cautious about underwriting risk that’s still not well understood. What does this mean for boards? When an insurance broker sends a simple three-page application via email for cyber insurance that barely addresses the quality and extent of your company’s computer network architecture, physical and data security protocols, and corporate risk culture, it shouldn’t be terribly surprising that the cyber insurance coverage that ensues might be inadequate. Companies should pursue policies that are only underwritten after extensive, informed security assessments.
What is excluded? Savvy insurance veterans analyze policies principally with respect to what’s excluded as opposed to what’s covered. Many cyber insurance policies, for example, exclude “acts of war,” “terrorism,” and “state-sponsored acts.” In other words, there are ample opportunities for some insurers to deny precisely the type of coverage that companies most desire. Focus on and fully understand what is excluded.
Administration is integral. As with other insurance products, what happens when there is a cyber breach claim is a principal differentiator between carriers. An otherwise great cyber insurance policy can be rendered almost moot by onerous or confusing claims procedures. Try to discern whether a prospective carrier is an active risk mitigation partner to its insureds, or if it is more in the business of selling policies and moving on. Check references.
Purchasing cyber insurance can be a material part of any small-cap company’s risk mitigation efforts, and a component in securing a company’s cybersecurity, but no matter how efficacious the policy or prominent the insurer, boards need to be mindful that nothing can replace comprehensive IT and physical security controls, training, and post-breach resiliency planning. Ultimately, what’s at stake with cyber breaches is your company’s brand, and no amount of insurance can repair that.
This article originally appeared in the May/June 2015 edition of Directorship Magazine.