Most of our clients have to make decisions regarding cyber insurance every year – whether they are deciding to go to market for the first time, coming up for renewal, or considering switching providers. We asked a cyber insurance expert her opinion as to whether it’s worth testing the cyber insurance market even if you decide not to move forward on coverage. Please note that the views and opinions expressed are those of the author and do not necessarily reflect the official policy or position of Bryan Cave.
– David Zetoony
Cyber Insurance – Just as Much Benefit in Preparing for the Submission as There is in Procuring the Coverage
By Florence Levy, JLT Specialty USA
The process of purchasing cyber insurance can be a daunting task. With the onslaught of cyber and privacy-related breaches in the news, including prevalent ransomware attacks and social engineering tactics to impersonate high-level executives for the improper funds transfer, the risks are high. The good news is that today’s more rigorous submission process can uncover a number of opportunities for companies to improve their cyber defenses.
Underwriters are becoming savvier with their due diligence in an effort to keep up with technology and associated exposures. Some employ internal resources like risk engineers, or outsource the more technical aspects to network security professionals. The questions can be numerous, topics can be diverse, and it takes a multi-disciplined, enterprise-wide approach to answer them.
For example, in review of your contracts for limitations of liability as it relates to cyber exposures, you may discover that you do not have “standard” wording regarding cyber-related exposures for clients or vendors. This may encourage you to work with your legal and sales staff to revamp your contractual language and ensure the appropriate limitations of liability and hold harmless clauses are in place.
You may also discover that your company does little to no training for employees regarding cyber and privacy awareness. With a significant number of incidents stemming from internal employee error, negligence, or frankly rogue employee incidents, it’s imperative to appropriately train your staff on security and privacy risks. Consequently, you may work closely with your HR and legal departments to ensure that new employees are properly vetted, and sign off on a cyber-risk training program that includes data retention, access and classification policies.
This process will assist you in quantifying and qualifying cyber risk, through taking inventory of information assets, reviewing and adopting any relevant or necessary compliance frameworks, identifying key vulnerabilities, and potentially creating internal positions that you may have never thought were important or relevant (the role of Chief Privacy Officer, for example, isn’t so out of the box anymore).
The process will also oblige you to identify owners of cyber risk management within your company, document processes and technology, and construct and test your incident response/crisis management plans. While underwriters care about the technical aspects of your risk (With whom do you outsource for various technology processes? Do you have firewall protection? Do you encrypt sensitive data at rest and in transit?), they care just as much about your corporate culture around cyber and data privacy risks. As a result, you’re compelled to proactively define your security posture, and tell your story around risk mitigation and breach preparedness.
This in-depth, intra-company process facilitates open communication across disciplines. The end result is a positive one – you’ve aligned your firm’s awareness and preparedness with unique risks and exposures, while potentially procuring a financial risk transfer solution that will perform in the event of a loss, protecting your company’s most precious assets.