Our clients have a lot of questions when it comes to cyber insurance. For this week’s op-ed, we asked Tim Burke, director of cyber risk at IMA, Inc., if he could discuss the two main questions that he receives from clients who are investigating cyber insurance as well as his typical response. Please note that the views and opinions expressed are those of the author and do not necessarily reflect the official policy or position of Bryan Cave.
– David Zetoony
Frequently Asked Questions Regarding Cyber Insurance
By Tim Burke, IMA, Inc.
We have now reached a recognition by most commercial entities that cyber insurance is a “need to have” as opposed to a “nice to have.” Having been involved with cyber insurance dating to 1999, I have seen quite a bit of change in the marketing and scope of this coverage. Today, my job often involves presenting on this topic to a wide variety of audiences who pose engaging questions. Therefore, I have addressed within this post some of the most commonly received inquiries pertaining to cyber insurance.
Q: What is the biggest mistake you see in consideration of purchase of this coverage?
A: One consistent issue I see is companies viewing this issue as exclusively related to privacy breaches. If I do not maintain a significant amount of confidential information (ex. PII, PHI, PCI) then we have no relevant exposure. That logic may be accurate to an extent but the primary intent of the coverage is to address operational risks associated with failures of security and safeguarding confidential information. This can extend to internal operational errors as well as outsourced functions. The scope of coverage is broader than most realize and extends to first-party risks such as business interruption and costs to replace data. A recent example of this is the number of highly publicized ransomware attacks where there was significant operational disruption, including down time and loss of data. Since most traditional property and casualty policies do not address new and emerging perils (malware, denial of service, encryption), cyber insurance policies have been specifically designed to address those gaps in your insurance portfolio. I often pose this guiding question: what is the enterprise value of your intangible property vs. tangible property and how does your insurance program reflect that?
Q: What suggestions can you provide for an effective procurement of this coverage?
A: The first suggestion is to recognize this is an enterprise risk issue, not an “IT” issue. As part of that consideration, you need to break down the silos within the organization to foster dialogue and awareness. Bring together a cross spectrum of relevant stakeholders (CISO, CIO, Legal, Risk Management, Finance, Marketing) to identify and quantify unique operational risks. Examples of unique “blind spots” we come across are outsourcing, industry specific regulation, M&A and reputational impact. Build a consensus and then develop a list of coverage priorities. These priorities should then dictate your marketing goals. The cyber market is highly competitive (50 + carriers) with creative underwriters eager to write new business. You should also engage in direct dialogue with a prospective insurer as underwriters welcome the opportunity to learn more about your operations. It also provides an opportunity for you and your broker to pose questions of them. As part of that discussion, include a representative from the claims department to discuss experience handling your peers’ claims, industry trends and expectations in the event of a claim. Ultimately, a well-thought-out strategy results in you dictating the pace to the marketplace as opposed to vice versa and eliminates any questions you may have on the viability of your coverage.