In the following guest post, Paul Ferrillo provides a primer for the purchase of cybersecurity insurance. Paul is a partner in the McDermott, Will & Emery law firm. My thanks to Paul for allowing me to publish his article as a guest post on this site. I welcome guest posts from responsible authors on topics of interest to this blog’s readers. Please contact me directly if you would like to submit a guest post. Here is Paul’s article.
**********************
At my old law firm, I was the person assigned by others to “figure out” a client’s insurance problems or needs and “fix” them. They claimed that insurance was like hieroglyphics, and they were not Egyptologists. I was. It didn’t matter what the coverage was (D&O, Employment, General Partnership Liability or standalone Cyber), my job was to “make it happen.” Given my training at a big carrier when I was a young attorney (sans the receding hairline), it was a natural fit for me. Given the needs of several humungous clients involved in the world’s largest matters, the “wartime” training was also extremely helpful to solidify my knowledge and so I could learn tough love from my mentors, like Jack Flug from Marsh.
I continue to do the same today for both old and new clients. As standalone cybersecurity insurance has grown exponentially since 2012, it seems to be my primary focus today. It also seems to be the area that corporations and business professionals have the most trouble understanding and putting to use in their insurance purchases. Cybersecurity (let alone cybersecurity insurance) is not intuitive. It changes constantly. The threats and attacks change constantly. Coverage needs similarly change constantly. After being requested by readers, here is a primer for the purchase of cybersecurity insurance. It is not the nitty gritty detail of insurance (e.g. policy terms, conditions and exclusions are not covered) and does not cover every nuance of purchasing insurance, but its basic and to the point.
What is standalone cybersecurity insurance and what does it cover?
Standalone cybersecurity insurance is a broad form policy that generally covers cyber breaches and attacks, including ransomware attacks, along with privacy and cybersecurity litigation and investigations. It has two components, first party coverage (to “investigate,” “remediate,” and “clean up the breach” and get you up and running), and third party coverage for the investigations and litigations that unfortunately go along with a large cybersecurity breach. Costs could involve both legal costs, and forensic consulting costs for a provider brought in to deal with a breach. There is business interruption coverage for network downtime. There is reimbursement coverage if you suffer a ransomware attack and need to pay the ransom to get “out of jail.” These coverage parts all work together, and often one big breach can invoke multiple coverage parts. Most cybersecurity insurance provides reputational and crisis management coverage that can help large and mid-sized businesses to deal with the fallout from cyber attacks from customers, clients and investors, especially if it is ransomware related.[i]
Policies are purchased with “limits of liability” so that coverage can be tailored to the specific business. Many times policies have sub-limits for particular areas of coverage (like first party coverage). Policies can range from very small, to very large (with cybersecurity insurance towers running into the hundreds of millions of dollars for very large public companies).
Unless you specifically purchase additional coverage, standalone cybersecurity insurance generally does not cover personal injury and property damage claims arising out of a cybersecurity event. Thus, depending upon your business, you could need two different types of cybersecurity insurance to be fully covered for “all risks” (e.g. say if you were an oil and gas producer or pipeline operator).[ii]
How do I get it? How much do they cost?
Standalone cybersecurity insurance is obtained through an insurance broker and by filling out an application for coverage. Very often the carrier involved will also want a cyber diligence call with your organizations CIO or CISO. As far of as underwriting standards go, carriers vary, though many will accept your work to fulfill the NIST cybersecurity framework (ver. 1.1) (https://www.nist.gov/cyberframework). Carriers are not there to provide you with technical support (like what version of MSOFT Windows you should be running), and but they to have pre-breach cybersecurity services which they provide to their insureds.[iii]
Each Carrier will have a multi-page application for what it considers to be normal elements of a healthy and secure network, and might (per industry) have specialized questions that fit the specific business vertical they are underwriting. For the most part, the carrier’s underwriters (the people who issue the policies) are very skilled and experienced. Many underwriters have cyber or computer backgrounds. Cyber is an important part of many carrier insurance offerings, and those involved take it very seriously.
The cost of a policy is based upon the limit of liability sought to be purchased, along with the risk perceived by the insurance underwriter. There is generally no set formula nor “standard” premium. Risk controls price for the most part. Seeing hundreds of insureds a year, the insurance underwriter will often have a very good understanding of your business and your risk.
For those thinking about purchasing coverage, some wise advice is to have a methodology that ensures your business and network are prepared and remains prepared to deal with any cyber eventuality. That would include:
- network preparedness (like up to date firewalls and intrusion detection solutions),
- a fully practiced and operational “patching” policy (to address matters CVE’s that are identified by US CERT and others during Patch Tuesday),
- employee training and preparedness,
- ensuring the existence of basic policies in place, like an incident response plan, business continuity plan and a crisis communications plan. A functional and well thought out business continuity plan (with a “back up” policy to support the plan), as well as a cyber supply chain risk identification and management policy, are two big areas today of examination given the ransomware plague in the US.
A recent vulnerability assessment would be most appreciated by your cyber broker and the carrier involved. They would also appreciate a sketch of your network architecture. Finally, if you are in a regulated business (such as a registered SEC investment advisor), or collect data of EU residents (or NYS residents for that matter), a description of your regulated entity compliance methodology would also be helpful materials for you to have available.
As the old expression goes, “how do you get to Carnegie Hall? Practice, Practice, Practice.” The same things generally hold true in the cyber security world, and the cybersecurity insurance world too. The more preparation you do before the underwriting process, the more it will show that you have cyber risk “under control.” That will help you and the underwriter better assess your cyber risk, and should hopefully result in a fair premium for the limits you are seeking.
We hope this answers a lot of questions that you might have. As cybersecurity insurance is so important today, please reach out to your favorite broker (or me) if you have any additional questions.
[i] Three websites provide examples of the laundry list of cybersecurity insurance coverage you can purchase from three of the largest and most well-known carriers.
https://www.chubb.com/us-en/business-insurance/cyber-products.aspx, and https://axaxl.com/insurance/products/cyber-insurance, and https://www.aig.com/content/dam/aig/america-canada/us/documents/business/cyber/cyberedge-wording-sample-specimen-form.pdf.
[ii] See, e.g., https://www.aig.com/content/dam/aig/america-canada/us/documents/business/cyber/cyberedge-plus.pdf., https://www.aig.com/content/dam/aig/america-canada/us/documents/business/cyber/cyberedge-pc.pdf.
[iii] See, e.g., https://www.aig.com/content/dam/aig/america-canada/us/documents/business/cyber/cyber-loss-control-services-all.pdf. And https://www.chubb.com/us-en/business-insurance/cyber-products.aspx for examples of such services.