In January, we hosted an event with the Northeast Chapter of the Association of Corporate Counsel (ACC) on cyber security. Matt Field, an a cyber insurance expert, participated on the panel, and we are thrilled to offer you a Q&A with Matt on the basics of cyber insurance. Matt is Woodruff-Sawyer's New England practice leader. He is expert in complex risk management and insurance areas, including cyber, D&O, clinical trials and reps and warranties insurance. He works with companies ranging from start-ups to large publicly trade global entities. Find out more about Matt here.
1. First up, can you give us some specifics about cyber coverage?
It's hard to generalize because Cyber Liability insurance policies are highly customized policies. They also have differences depending on your company’s industry. Common modules within a Cyber Liability policy include E&O, Media Liability, Network Security and Privacy.
Errors and Omissions: E&O covers claims arising from errors in the performance of your services. This can include technology services, like software and consulting, or more traditional professional services like lawyers, doctors, architects and engineers.
Media Liability: These are advertising injury claims such as infringement of intellectual property, copyright/trademark infringement and libel and slander. Due to the Internet presence of businesses today, technology companies have seen this coverage migrate from their general liability policy to being bundled into a media component in a cyber policy (or a separate media liability policy). Coverage here can extend to offline content as well.
Network Security: A failure of network security can lead to many different exposures, including a consumer data breach, destruction of data, virus transmission and cyber extortion. The culprits might be looking to shut your network down so you can’t conduct business, either for financial or political gain. Network security coverage can also apply if you’re holding trade secrets or patent applications for a client, and that information is accessed due to a failure of your security.
Privacy: Privacy doesn’t have to involve a network security failure. It can be a breach of physical records, such as files tossed in a dumpster, or human errors such as a lost laptop, or sending a file full of customer account information to the wrong email address. Companies have also faced liability from returning a photocopier with a hard drive that contained unwiped customer tax records. A privacy breach can also include an action like wrongful collection of information.
All insurers use different terminology for cyber coverage; some subdivide the four components above even further, which means that cyber policies can be very difficult to read and compare.
2. How much coverage does my company need?
Again, it's hard to generalize about this. I have seen many instances of companies not having enough coverage, but I'm sure I sound like an insurance salesman. The first step in the process of deciding what limit of insurance you want to buy is conducting an exposure analysis, including data analysis where possible. Part of the work here is understanding which parts of your exposures are insurance and which parts are not. For example, there is an abundance of “breach calculators” that purport to help companies understand the cost of a major exposure event, but many of these calculators are over-inclusive if you’re thinking about your insurance exposure. We recommend talking through your exposures with a trusted advisor, and using third-party data where available and relevant.
3. Describe some important factors in how insurers approach the underwriting process for cyber insurance.
Insurers know that all businesses face cyber risk, so a key part of the underwriting is your ability todetect and respond to a breach or network security failure. The level to which companies formalize their incident response plans vary, but underwriters will want to see that you have done a level of planning commensurate with your exposures.
For businesses that rely heavily on technology to generate revenue or process transactions:
- How quickly are you able to resume operations following a network security failure or outage?
- What are your back-up plans and redundancies? (Read more about how cyber insurance can respond to technology-related business interruption in a previous blog post, here).
Companies that are consumer facing need a plan that specifically responds to a data breach of consumer information. These plans should include vendors you would call on for help, including:
- Law firms to advise on your legal obligations based on the nature of the breach.
- Forensic IT specialists to identify the source of the breach and its scope.
- Vendors to provide notification to customers and potentially offer credit-monitoring services.
Those expenses, because they are potentially covered by a cyber insurance policy, need to come fromapproved vendors. Some insurers offer more flexibility in vendor choice, while other carriers will insist that you use their preselected vendors.
That’s why it is important to learn during the application process if your legal and IT groups have already established relationships with these vendors.
In our next conversation with Matt, we'll discuss new trends in cyber insurance in 2016.