After our post, Do I Need Cyber Insurance [For My Business], we received notes from clients and friends thanking us for bringing this to their attention. We also got a lot of questions. We asked insurance agents in the New Orleans area that we knew specialized in cyber risk insurance to help educate all of us. Bradley Nolan with Donnaway Insurance graciously agreed to do an interview with us about the topic.
My IT - How has the cyber-risk insurance market changed in the past 3-5 years?
BN - Many new insurers entered the market recently. Previously, the market had a handful of traditional carriers with over a decade of underwriting & claims experience. Now with new insurers playing in the market, there are untested policy contracts due to them having little experience dealing with cyber and data losses. These companies that are new to the sector do not have the claims support infrastructure and technology vendor network to investigate and assess claims immediately so their pricing, underwriting coverage, and claim response is largely unknown.
Additionally, we’re seeing the rapid rise of claim costs and ever-evolving threats combined with downward pricing pressure on premiums, which can result in a potentially catastrophic market adjustment. The carriers that quickly flooded the market with below-market premiums may leave just as quickly, as they may be unable to respond to claims effectively or may jeopardize the insured’s business stability.
Just out, the June 2017 Ponemon Institute report found for the first time ever, that malicious third party attacks have become the primary source of data breaches. 52% of all new cyber & data losses in last 2 years are the result of outside attacks (e.g. phishing, ransomware, malware) versus traditional first party losses (e.g. operator negligence, lost laptop, disgruntled insider) as in the past. This volatility makes cyber-risk insurance a difficult market to forecast.
My IT - What do most cyber-risk insurance policies cover?
BN – Policies are broken down into First-Party Costs, which include about 90% of the average data breach claim, and Third-Party Costs making up the remaining 10% of expenses on a claim.
- First-Party Costs – ordered most to least expensive
- Forensics costs
- Breach coach or data privacy attorney legal costs
- Regulatory defense and/or fines
- Notification costs to affected parties
- Credit monitoring
- Public relations
- Third-Party Costs – ordered most to least expensive
- Legal defense costs
- Legal settlement costs
- Regulatory fines & penalties
My IT - How much is the typical cyber-risk insurance policy you offer worth and how much does it cost (range)?
BN - In general terms, a year ago you’d find an estimated baseline budget would have been $3,500-$5,000 per $1,000,000 aggregate coverage limit, with adjustments for the specific business and its data security practices. Today, we’re seeing that same $1,000,000 aggregate limit for 35- 50% less with broader terms (i.e. no sublimits, fewer policy limitations) because of the competition in the market.
Insureds with strong data security practices can achieve significant reductions and broaden coverage, while poorly secured insureds can buy coverage that was previously unavailable.
My IT - What is typically covered or not covered that surprises most policy holders?
BN - Definitions of “data” and a data breach are not yet standardized insurance terms, like with traditional property & casualty coverage. This non-standardization is a concern as data takes many forms (paper and electronic), and all insurers define “data” differently. As there is no standard insuring agreement, some insurers will severely limit the scope of coverage of what constitutes “data” to the insured’s detriment.
Some carriers will impose technology warranties that effectively negate coverage. For example, “most current technology” warranty can be voided by missing a Windows update, and such warranties don’t contemplate unknown (zero-day) threats.
Additionally, crossovers with crime coverages complicate matters - Does your cyber policy address electronic funds transfer fraud & theft exposures? How does your cyber policy integrate with your existing crime policy and operational protocols?
Business owners need to know how does your coverage pay claims in the event of loss. Some carriers will pay claims costs directly on your behalf and assist your investigation, while others will only reimburse costs you incurred that they approve, with various levels of guidance on claims response.
How does your coverage address an “alleged” event? With the uncertainty and breadth of technology, a human error or misconfiguration can look like a potential breach. This situation can entail forensic/investigative costs to discern the answer. Depending on the specific policy, an “alleged” event that doesn’t develop into a covered breach will be treated very differently by different insurers, with respect to claim history and future underwriting.
My IT - What are some details that buyers should pay attention to when considering a cyber-risk insurance policy?
BN - How do the specific cyber & data risks of your business integrate with your existing insurance & risk management planning? Does your management recognize the cyber threat that may affect your business and dedicate resources to address the threat before a potential loss?
While prices are falling and can vary dramatically, the greatest variable is the expected claims response. Specifically, what level of insurer support and guidance do you expect in developing a response plan, before a loss occurs? Does the insurer have a network of established response providers and IT-focused claims staff to guide you in the event of a potential loss?
The current choice is either to buy a customized “Cyber policy as a Service" from an established insurer, with an established technology claims staff, at a higher upfront premium, or to buy a less comprehensive insurance policy that requires you to develop a largely self-directed response plan that may reimburse your losses.
Because cyber-risk insurance is a new option for many businesses, we highly recommend talking to an insurance agent well versed in this type of policy to determine what is the right amount of coverage for your business. Additionally, a good IT firm will work with you to ensure your cybersecurity protection and processes meet the insurance company's guidelines so you are covered in case of a breach.