In a world where data breaches are becoming inevitable and the cost of those incidents averages $9.44M in the United States, cyber insurance is becoming increasingly attractive to companies of all kinds.
But for all the benefits that cyber insurance can provide, it’s quite costly. Premiums increased 92% year-over-year in 2021, and policies typically come with numerous exclusions alongside various other strings attached.
This isn’t to say that cyber insurance isn’t worth it. Quite the opposite, having a strong cyber insurance policy can help mitigate financial damages following an incident – which can end up being more than worthwhile with incident recovery costs at record highs and continuing to climb.
Rather, it’s about making sure you select the right cyber insurance policy for your needs and have a strong understanding of what’s covered and what’s not so you can respond appropriately when a breach occurs.
With that in mind, here are the top eight provisions you need to watch out for when selecting (or reviewing) your cyber insurance policy.
6 Game-Changing Trends Impacting Incident Reporting and How to Keep Up
Top trends shaping global cybersecurity & privacy incident reporting
1) What types of incidents, data, and devices are covered
First and foremost, you need to know what types of incidents, data, and devices are covered, and which types are not covered. This coverage differs across policies and can make a big difference in terms of the amount of protection your organization has as well as your response following a breach.
In terms of incidents covered, key areas to note include:
- Actions taken by employees: Some policies exclude employee actions, whether they are deemed insider threats or simple mistakes.
- Acts of war: Many policies have an exception for acts of war, which can be broadly defined as attacks led by a nation-state actor. With many attacks originating in Russia and China, there’s a lot of potential for insurance companies to tie hacking groups to those countries’ governments. However, there’s a lot of complexity in this area. For example, Merck & Co. recently won a lawsuit against insurers for denying coverage following a cyber incident that traced back to Russia’s military intelligence. The court ruled that insurers couldn’t claim the war exclusion because that language is intended for armed conflict. Similar situations could be different going forward though, as the ruling noted that if insurers had changed the language to cover cyber incidents and notified organizations it would be a different situation.
- Ransomware: Some insurers specifically exclude ransomware because it’s a very common type of attack and not as profitable to insure.
- Phishing: Similar to ransomware, insurers also often exclude phishing because it’s a common attack that’s less profitable to insure.
Different insurance policies may exclude certain types of data from coverage as well. Common examples to look for are exclusions for personal information, trade secrets, and confidential information.
Sometimes insurance policies exclude certain types of devices, particularly employee-owned devices, such as a smartphone or tablet that the employee uses to check their company email or run work-related apps. If that device becomes the vector for a breach, the incident might not be covered under some policies.
2) What constitutes discovery of an incident?
Next, it’s important to know what each policy defines as discovery of an incident, since that can impact notification timelines. Sometimes it’s discovery of the incident itself, but it can also be instances of loss or actual costs from being sued. In general, the definitions for discovery are very wide-ranging across cyber insurance policies.
Another important consideration around discovery is who needs to be part of the discovery for the clock to start. Some policies define discovery as awareness by certain executives only whereas others define it as awareness by any employee at all. There are big gaps between these definitions, and policies in which any employee becoming aware of an incident triggers the discovery clock puts a lot of pressure on having strong response protocols in place.
3) What is the notification timeline following discovery?
Once discovery occurs, it starts the clock on the window to notify the insurance company about an incident. And once again, those notification timelines can vary significantly. In some cases it’s 24 or 48 hours and in others it can be 30 days.
On the surface, 30 days sounds like the ideal timeline because it’s a much longer clock than a matter of hours, but in many cases policies will exclude costs incurred before notification. As a result, it’s important to look at stipulations for coverage in relation to the notification timeline.
4) What are the stipulations for coverage?
Beyond stipulations for not covering costs incurred prior to notification, it’s very common for policies to require approval from the insurer before your company can spend money on anything.
That said, many insurers have a panel of pre-approved providers that are available to use right away. It doesn’t mean you can’t use a provider outside of that list, but those providers will require approval from the insurer, which can take time – and approval is not guaranteed.
5) Who is on the panel of approved providers?
With that in mind, consider which providers are on the approved panel. Are they the ones you want to use when something happens? These providers are generally ones with whom the insurer has negotiated a lower rate, so depending on the sensitivity of a given incident, your company may decide you want to use another provider already trusted by your team. If the insurer is unwilling to cover a more expensive firm, this could be a big sticking point.
One interesting dynamic with panels of approved providers is that they can often create a tough conflict of interest for the providers. Consider a case where you engage an outside counsel from the panel but then the insurance company finds a reason not to cover those costs. The outside counsel still has a duty to your company as their client, but this may create a situation in which the insurer feels the counsel wasn’t forthcoming and decides to drop them from the panel as a result. While it’s hard to say when these instances will arise, it’s always something to be aware of when engaging with panel providers.
6) What types of costs are covered?
In general, it’s important to know what types of costs and how much of those costs are covered by the policy. Each policy typically has a number (e.g. $3M, $10M), and some policies cap how much within that number can be spent on certain types of costs.
For instance, some policies exclude contract disputes, which is a huge potential cost your company can incur following an incident, since any customer that sues is considered a contract dispute. As a result, this type of exclusion would leave your company without coverage for long tail costs, which can extend numerous years after the incident itself – even if you still have coverage dollars available under your total number.
Another common exclusion to look out for relates to cryptocurrency losses. Ransomware attacks, in which hackers steal data and hold it captive in exchange for a ransom payment, often ask for the payment to be made in cryptocurrency. A clause that excludes costs associated with cryptocurrency losses traditionally means the policy doesn’t cover instances where cryptocurrency itself gets stolen. But insurers could make a creative argument for applying this clause to ransomware payments made using cryptocurrency.
7) Are you precluded from disclosing that you have cyber insurance?
Another common stipulation in cyber insurance policies precludes companies from letting an adversary know that they have insurance without the consent of the insurer. This is because once the adversary knows your company has insurance, they will typically ask for more money during ransomware negotiations because they know it’s not coming out of your pocket.
As a related point, if your cyber insurance policy does preclude you from disclosing that you have coverage, then the policy documents will need to be safeguarded in the same way you would protect other highly sensitive documents, like those containing trade secrets. This is important because if an adversary does find a document related to your insurance policy and they can see your policy limit, they will typically start off by asking for that exact amount in ransomware negotiations.
8) What is the retention number?
Finally, each cyber insurance policy has a retention number. Similar to a deductible in other types of insurance, the retention number is the amount your company has to spend before the insurer is on the hook for covering costs. As with everything else, these numbers can vary widely across policies, so it’s critical to know your policy’s number.
When an incident occurs, your team will also want to consider whether or not you think your response will cost less than the retention number. If you do think it will cost less than the retention number, you might not want to notify your insurer about the incident, since that will kick off lengthy approval processes and inject a third party into your incident response process – which creates a lot of extra work.
Because response needs to happen so quickly and notification timelines may be short, it’s helpful to set a dollar threshold based on your retention number ahead of time. That way, when an incident does occur, your team can quickly estimate costs and then have a clear decision about whether or not to notify the insurer based on if the costs fall above or below the threshold. That said, many companies will choose to notify their insurer no matter what, because there’s a lot of unpredictability in incident response and you never know how big it might become.
Make it a Priority to Understand Your Cyber Insurance Policy
Cyber insurance policies are becoming increasingly important in today’s incident-heavy world. But in order to choose the right policy for your team and then get the most out of your policy when you need it, it’s important to understand certain key provisions contained within it.
That said, when an incident does strike, don’t take it as a foregone conclusion that you need to bring in your insurer. Working with your insurer inserts another party into your business – they have a lot of audit rights and can steer you toward working with certain providers. Large companies with established incident response policies may not always appreciate this heavy-handed approach, especially if the cost of the incident falls on the lower side. On the other hand, smaller companies and those who are less prepared for incident response may find value in this level of involvement.
Whatever you decide, be sure to take the time upfront to really understand your company’s cyber insurance policy so that you know exactly what to expect when an incident strikes.
Does your IR plan help protect legal privilege and cover your cyber insurance requirements?
Find out today and get your IR plan updated to include them and more!