Despite significant growth in the cyber insurance market with new companies purchasing a policy for the first time nearly every day, there remains quite a bit of uncertainty over some of the basic coverage elements in a cyber insurance policy. Confusion reigns amongst stakeholders responsible for cybersecurity, specifically Chief Security Information Officiers (CISOs). A concern that we often hear from CISOs is their belief that cyber insurance will exclude a claim if they don’t keep up to date on the latest cyber security patches or tools. Thankfully, that’s a concern that is easily addressed.
While these concerns are easily addressed, it’s important to note that they’re not unfounded. The most often referred to case is a lawsuit involving CNA and Cottage Health System in 2015. CNA, via their insuring company Columbia Casualty, issued a cyber insurance policy to Cottage Health System based on information provided by Cottage Health System in their application for insurance. The policy form used by CNA at the time included an exclusion titled “Failure to Follow Minimum Required Practices” which excluded claims when the applicant did not implement or follow the controls they indicated were in place on their insurance application. When Cottage Health suffered a data breach in 2013, they looked to their cyber insurance policy to help respond. After initially covering the claim and funding a settlement, CNA filed a lawsuit seeking a declaratory judgement that the claim should not be covered based upon the noted exclusion and a misrepresentation by Cottage in their insurance application regarding the extent of cyber security controls.
The lawsuit hit on a pain point that CISOs are acutely aware of: maintaining security is difficult. It requires near-constant vigilance and diligent processes around implementing patches, updating software, and deploying it to complex organization networks. While this lawsuit was ultimately dismissed and settled via an alternative dispute resolution process, but the lasting impression had been made: Cyber insurance policies would look to exclude claims for a failure of security maintenance.
Modern Cyber Insurance
Despite the concerns of CISOs that cyber insurance won’t respond when security is not maintained, the reality of modern cyber insurance is that exclusions like the “Failure to Follow Minimum Required Practices” in the CNA form no longer exist. The underlying data breach in the CNA/Cottage Health dispute happened in 2013, and cyber insurance policy forms have come a long way since then. Even at the time of the lawsuit being filed in 2015, many well-brokered cyber insurance policies had similar exclusions negotiated out of the contract.
The most disappointing aspect of this CISO concern is that cyber insurance is actually built to respond to security failures. A well-brokered policy will help get your business back up and running quickly, paying for costs such as lost profits and fixed expenses during downtime or legal expenses and IT forensic costs incurred to respond to a data theft. If cyber insurance didn’t respond when security failed, the market for this type of insurance would not have lasted as long as it has or grown nearly as quickly.
Key Items to Keep in Mind
As with all insurance, having the advice and counsel of experts will be helpful in determining the best insurance product to address your business-specific risks. When it comes to cyber insurance, here are 4 things to keep in mind:
- Policy Language is negotiable. A well-brokered cyber policy will not include any exclusions for failure to update a security control. Underwriters take patching cadence and other risk metrics under consideration before deciding to offer a quote.
- The application process is important. Completing a cyber insurance application can be frustrating and require multiple business leaders to get all the answers. But taking the time to assess yourself accurately can be beneficial in the long-run. It’s always better to know your risks than to stick your head in the sand.
- Cyber policies are not auditable. A post-claim review will not result in increased premiums or more restrictive terms during the same policy period. All terms and conditions are re-assessed at the renewal of the policy, typically at least once a year.
- Invest in a dedicated cyber insurance policy. Relying on general liability or property liability policies is fraught with peril, and many times the coverage granted for cyber risks on other lines of insurance is much more limited than that offered in the dedicated cyber insurance market.
Cyber insurance can be complex, but it can also be a valuable tool in mitigating your business risk from a failure of cybersecurity. Thankfully, the concerns of CISOs with regards to cyber insurance have been addressed and the result is a much more clear value proposition for purchasing cyber insurance.
Reach out to WS experts for more information regarding cyber liability insurance.