What’s a risk manager to do? The “cyber” insurance marketplace can seem like an impenetrable thicket filled with a baffling array of disparate, disconnected coverages, a lack of any uniformity in policy wording, vast disparities in cost, and little available guidance. Comparing the quality and cost-effectiveness of competing products is a daunting task. It’s enough to make a risk manager’s headache: How do I choose among the products the broker has presented to me? Am I buying the right types of coverage, in the right amounts, and at the right price? How can I demonstrate to my management that I am making the right choice?
The challenge is often compounded because the company approaches the purchasing decision from the wrong direction. When a company decides it needs cyber coverage, it generally starts by asking its broker: What’s available in the marketplace? What’s the broadest coverage I can get at the best price? The broker then collects basic information about the company’s business and finds some insurers willing to quote. The broker comes back to the company with several proposals—each consisting of a policy form, a schedule of coverage limits the insurer is willing to offer, and the corresponding premiums at which the insurer is willing to sell. Although the policy forms are not standard vis-à-vis one another, each one is standard for that insurer. Consequently, each insurer’s receptiveness to changes to the form may range from minimal to non-existent. The package may include a few endorsements designed to address issues specific to the individual company, but the policy as a whole can hardly be said to be tailor-made.
All too frequently, the company doesn’t start by asking itself the most important questions: Why do we need cyber coverage? What is our risk in relation to cyber events? Without knowing the answers to these questions, selecting from among the often widely differing options becomes an even more bewildering process. The result can be a cyber package including a hodgepodge of coverages, many of which are not responsive to the company’s risk profile—providing unnecessary coverages for which the company nevertheless must pay premiums, and leaving important gaps in coverage.
By contrast, the more rigorous the company is in analyzing its own risk factors before approaching the marketplace, the better job the broker can do in identifying the right insurers with the right policy forms, the better job the insurers can do in assessing the risk and pricing the coverage, and the better job the risk manager can do in evaluating the products being offered.
By way of example, here’s a list of just a few sources of cyber risks and corresponding coverages:
Click here to view the Table
Forearmed with a robust understanding of the company’s cyber risk profile, every risk manager will be better equipped to instruct the broker on what coverage to look for and to evaluate the options presented. It’s a cyber jungle out there—it’s best to map your needs and objectives before you venture.