“On board were the Twelve: the poet, the physician, the farmer, the scientist, the magician and other so-called gods of our legends.”
- "Atlantis" by Donovan
It is no surprise that companies are aggressively mobilizing to address and combat risks of cyberattack and data breach. According to The Global State of Information Security Survey 2018 from PwC, at least 56% of responding global executives reported having some form of overall information security strategy in place. In a referenced report, PwC highlights the importance of making sure diverse stakeholders are involved in developing and implementing those strategies, including “business, technology and risk management leaders—as well as the CEO and CFO.”
This “it takes a village” perspective not only applies to mitigating internal cyber risks but should also be applied to transferring cyber risks to insurance carriers. This begs the question, “Who should be part of your corporate cyber insurance team?” Here are a few suggestions to help you get the ball rolling:
At least one information technology (IT) representative with knowledge of the enterprise-wide systems used, data storage practices and technology vendors is obviously critical. Such a representative should be able to estimate the number of confidential records being stored that are subject to potential breach and access, which in turn can assist in determining how much insurance you should purchase. This information can also help assess the number of records which could be subject to potential coverage sub-limits which could blindside you if unprepared.
You will want make sure this individual also has a strong grasp of the company’s operational technology (OT) issues as well, especially to the extent of supply chain, logistics and other physical processes vital to corporate success. For example, consider a cyberattack which results in delayed delivery of important production planning information to your primary factory. Along those lines, the IT/OT team member can provide valuable guidance toward insurance considerations such as acceptable business interruption limits and length of waiting periods, further assisting with harmonizing insurance procurement with existing enterprise-wide business continuity strategies (hint, your company should have these in place).
As PwC astutely reports, there is something to be said for including a C-suite representative on the team. The CFO (or perhaps COO) should provide sufficient project visibility and accountability, as well as access to departments and representatives ensuring a thorough investigation prior to pulling the trigger on an insurance carrier and coverage. And the CFO likely has control of the company purse strings, so it's probably a good idea to get this person engaged early for budgeting purposes . . . especially if there could be glaring holes in your cyber insurance program.
Your CFO/COO team member can also be helpful in providing an overview of contracting practices within the company. Keep in mind your company likely has enterprise-wide contracts with suppliers, vendors, distributors, customers and/or clients. Your company may have unwittingly (or wittingly) assumed certain liabilities under these contracts, including liability for losses to these third parties in the event of a cyberattack or data breach involving your system. You need to know what is in these contracts in order to identify and select appropriate cyber insurance carriers, and then tailor your insurance limits, sub-limits and coverage appropriately.
3. Cyber Insurance Broker
A brokerage firm with a well-developed cyber practice should be able to provide effective access to this insurance market. With 60+ cyber insurance carriers offering stand-alone policies, and the cyber landscape still largely underdeveloped with varying policies, there are ample opportunities to identify brokers who can work with your company to access appropriately-capitalized insurers.
A firm with an established cyber presence should also have relationships with underwriters who can provide guidance on opportunities to reduce costly premiums across multiple prospective carriers. For example, if you were one of the 56% of responding executives mentioned above, there should be some level of premium savings for such efforts.
Last, but certainly not least (I’m sure there’s a lawyer joke in there somewhere), you should include on your team sophisticated counsel who can review and analyze your company’s complex contracts and insurance policies to identify and triage potential gaps in your cyber coverage. Counsel can further assist to the extent of any vague and ambiguous language in the insurance policy needing clarification (hint, you’ll want to do this before your sign on the dotted line and pay premium).
Counsel should be able to effectively synthesize the information provided by your company as part of the initial audit (via IT/OT, CFO, COO and other company representatives) and then work with your broker representative to identify, negotiate and then select the appropriate cyber insurance carrier and policy language tailored to your risk profile as much as possible.
Best practice involves utilizing your team all year, evaluating and adapting, as the cyber landscape is continually changing. This should include regular attention to your insurance coverage . . . so don't wait until renewals or make this a once-a-year conversation! As always, we’re here to help.