In today’s post my colleague Priya Cherian Huskins will be discussing whether private equity and venture capital firms need cyber liability insurance. – Lauri
Does every type of company need cyber liability insurance?
Recently while speaking on panels at various conferences, I’ve been asked to address the question of whether private equity and venture capital firms need cyber liability insurance. It’s an interesting question, and analyzing it is instructive for other types of businesses that are trying to understand whether cyber liability insurance might be useful for them.
Spoiler alert: Cyber liability insurance isn’t always the answer.
When Cyber Insurance Isn’t Really the Answer
Private equity and venture capital firms haven’t been big buyers of cyber policies—roughly speaking, about 50 percent of them buy this type of insurance. This is changing, and this change is driven by a number of factors.
One of the reasons more PE and VC firms are buying more cyber insurance is an odd one: the purchase is sometimes premised on a misunderstanding of the scope of cyber liability coverage (I’ll talk more about this in a minute.)
In addition, PC/VC firms’ limited partners (LPs) sometimes ask about cyber coverage in a way that creates some check-the-box pressure just to buy something.
This pressure to purchase something is compounded by the fact that you can’t open a newspaper these days without seeing headlines about cyber incidents. All of this adds up to a desire to buy something that sounds like it’s the solution.
The problem is that there are a lot of cheap, poorly constructed cyber policies out there that some PE and VC firms end up buying. Even worse, there is also an abundance of expensive, poorly constructed cyber policies available in the market. Behind all of this is a misunderstanding of what cyber insurance should cover. This can lead to grave disappointment at the time of the claim.
A good example is when a PE or VC firm has a fraudulent wire transfer incident. Wire transfer fraud often happens as a result of business email compromise (BEC). Unfortunately, this type of cyber crime is on the rise.
Recent figures from the FBI show that BEC has cost victims $5 billion globally. This type of cyber crime is up there on the list of things that CFOs and general counsel of PE and VC firms worry about, because it’s easy to fall victim to.
Even though this type of activity seems like the quintessential cyber liability exposure, it’s not covered by a cyber insurance policy. It’s actually a crime policy that would respond.
I’ve written about the crime policy in this context before, here. It’s a great example of the care that must be taken when mapping your business risks into the insurance environment.
When Cyber Insurance Is the Answer
So, is cyber insurance something you even need to buy? When PE and VC firms analyze their internal exposure, for some, the policy will make sense; for others, it won’t.
As a reminder, cyber liability insurance has multiple components, and can be quite complex. One of the challenges for the PE and VC industries is that these policies were really written for operating companies and, as a result, can be an awkward fit. Often, these policies contain components that just aren’t that relevant to a private equity or venture capital firm.
However, there are elements that may be relevant. For example, the network security and privacy elements of the coverage tend to be a primary focus when PE and VC firms look into cyber policies.
These parts of a cyber liability policy can respond to everything from theft and destruction of data to unauthorized access. For firms that have PII (personally identifiable information) this is a relevant coverage.
A PE/VC firm might benefit from this coverage if they have a lot of employees and there are concerns about employee PII. Probably a greater concern for most of these types of firms is accidently exposing the PII of high-net-worth individuals who are LPs.
It’s also the case that PE/VC firms are often engaged in the kind of diligence that may inadvertently lead to their having other people’s PII or even protected health information. This can lead to more potential exposure if their own network is hacked. For circumstances such as these, a cyber liability policy makes a lot of sense.
Another place where a PE or VC firm might reasonably expect to rely on a cyber policy is in the situation of ransomware, also a common cyber threat.
Ransomware is a type of cyber crime where malware is installed on a device, encrypting files, and giving control of them to the attacker who attempts to extort a ransom in exchange for releasing data back to its owner.
I’ve written about this type of cyber crime before, here, and all industries are a potential target. Part of the benefit of having this addressed by your insurance policy is that many carriers have effective resources they can deploy on your behalf in a ransomware situation, in addition to providing a financial response.
(It’s worth mentioning that some “special risk” policies, also known as “kidnap and ransom” policies may also provide coverage for ransomware events.)
Things to Note When Investing in Cyber Insurance
During the process of buying cyber coverage, there are some opportunities and challenges to keep in mind.
Problems with Overlapping Coverage
There are some brokers who sell a “customized” cyber policy for PE and VC firms that purports to respond not only in the way that we anticipate a cyber policy to respond, but also overlaps with the insurance agreements of other polices typically purchased by PE and VC firms.
These poorly constructed cyber policies have components that may interfere with a general partner liability (GPL) policy—the fundamental liability policy purchased by PE and VC firms.
It’s important to work with a broker who understands how these two policies should be dovetailed or segregated—otherwise, at the time of a claim, you will end up with a lot of turmoil in your efforts to achieve recovery.
Remember: overlapping coverage rarely means double coverage for these types of policies; it usually just means you’ve paid twice for the same coverage.
Opportunities for Cyber Risk Management
For some firms, the underwriting of the cyber liability insurance policy will be one of the first instances where someone at the firm is taking a systematic look at the firm’s cyber governance.
Rather than see the underwriting process as just a painful insurance-focused exercise, consider the opportunity it provides to bring focus and attention to the important issue of your firm’s cyber governance on a holistic basis.
This is a particularly valuable opportunity given the institutional investor and regulatory conversations that are afoot when it comes to cyber risk in PE and VC firms.
Remember, too, that when a PE or VC firm invests in another company, part of the diligence effort should likely involve cyber-related diligence—including a review of the potential portfolio company’s cyber liability insurance. This is especially true for PE firms. While no one wants to see a loss in a portfolio company, as a significant owner of each one of their portfolio companies PE firms have more exposure to losses that can arise from the portfolio companies.
Many well-run PE and VC firms will ask experts from their insurance broker to look at the cyber policies of their portfolio companies. If you’re not already doing that, that is an easy move that can enhance your own diligence efforts.
So is cyber insurance right for you?
If you’re a PE or VC firm, it’s worth taking stock of your overall cyber risk before you decide whether or not a cyber policy is prudent for you. Look also to see if other insurance policies you are currently purchasing can respond to cyber threats, in some cases with additional endorsements.
To do this, your best next step is to engage with an experienced insurance broker who can help you map your business risks into the right, customized set of insurance policies.