cyber

It Takes a Village: Developing Your Cyber Insurance Program

freestocks-org-485685-unsplash.jpg

 “On board were the Twelve: the poet, the physician, the farmer, the scientist, the magician and other so-called gods of our legends.”
- "Atlantis" by Donovan

It is no surprise that companies are aggressively mobilizing to address and combat risks of cyberattack and data breach. According to The Global State of Information Security Survey 2018 from PwC, at least 56% of responding global executives reported having some form of overall information security strategy in place. In a referenced report, PwC highlights the importance of making sure diverse stakeholders are involved in developing and implementing those strategies, including “business, technology and risk management leaders—as well as the CEO and CFO.”

This “it takes a village” perspective not only applies to mitigating internal cyber risks but should also be applied to transferring cyber risks to insurance carriers. This begs the question, “Who should be part of your corporate cyber insurance team?” Here are a few suggestions to help you get the ball rolling:

1.     IT/OT

At least one information technology (IT) representative with knowledge of the enterprise-wide systems used, data storage practices and technology vendors is obviously critical. Such a representative should be able to estimate the number of confidential records being stored that are subject to potential breach and access, which in turn can assist in determining how much insurance you should purchase. This information can also help assess the number of records which could be subject to potential coverage sub-limits which could blindside you if unprepared.

You will want make sure this individual also has a strong grasp of the company’s operational technology (OT) issues as well, especially to the extent of supply chain, logistics and other physical processes vital to corporate success. For example, consider a cyberattack which results in delayed delivery of important production planning information to your primary factory. Along those lines, the IT/OT team member can provide valuable guidance toward insurance considerations such as acceptable business interruption limits and length of waiting periods, further assisting with harmonizing insurance procurement with existing enterprise-wide business continuity strategies (hint, your company should have these in place).

2.     C-Suite

As PwC astutely reports, there is something to be said for including a C-suite representative on the team. This executive should provide sufficient project visibility and accountability, as well as access to departments and representatives ensuring a thorough investigation prior to pulling the trigger on an insurance carrier and coverage. And this individual should have access company purse strings, so it's probably a good idea to get this person engaged early for budgeting purposes . . . especially if there could be glaring holes in your cyber insurance program.

Your C-Suite team member should also be helpful in providing an overview of contracting practices within the company. Keep in mind your company likely has enterprise-wide contracts with suppliers, vendors, distributors, customers and/or clients. Your company may have unwittingly (or wittingly) assumed certain liabilities under these contracts, including liability for losses to these third parties in the event of a cyberattack or data breach involving your system. You need to know what is in these contracts in order to identify and select appropriate cyber insurance carriers, and then tailor your insurance limits, sub-limits and coverage appropriately.

3.     Cyber Insurance Broker

A brokerage firm with a well-developed cyber practice should be able to provide effective access to this insurance market. With 60+ cyber insurance carriers offering stand-alone policies, and the cyber landscape still largely underdeveloped with varying policies, there are ample opportunities to identify brokers who can work with your company to access appropriately-capitalized insurers.

A firm with an established cyber presence should also have relationships with underwriters who can provide guidance on opportunities to reduce costly premiums across multiple prospective carriers. For example, if you were one of the 56% of responding executives mentioned above, there should be some level of premium savings for such efforts.

4.     Preventive Lawyer

Last, but certainly not least (I’m sure there’s a lawyer joke in there somewhere), you should include on your team a seasoned Preventive Lawyer who can review and analyze your company’s complex contracts and insurance policies to identify and triage potential gaps in your cyber coverage. This individual can further assist to the extent of any vague and ambiguous language in the insurance policy needing clarification (hint, you’ll want to do this before your sign on the dotted line and pay premium).

A Preventive Lawyer should be able to effectively synthesize the information provided by your company as part of the initial audit (via IT/OT, C-Suite and other company representatives) and then work with your broker representative to identify, negotiate and then select the appropriate cyber insurance carrier and policy language tailored to your risk profile as much as possible.

Best practice involves utilizing your team all year, evaluating and adapting, as the cyber landscape is continually changing. This should include regular attention to your insurance coverage . . . so don't wait until renewals or make this a once-a-year conversation! As always, we’re here to help.

Your Contracts, Your Cyber Insurance and You

park-troopers-221402-unsplash.jpg

 “Don’t talk to me about contracts, Wonka, I use them myself.”
- “Square Deal” Sam Beauregarde

If you are a product brand, you’ve probably been required to enter into many agreements with everyone from manufacturers to distributors, payment processors to financial institutions and vendors of all shapes and sizes. Hopefully you’ve had the opportunity to review and understand these contracts, as landmines may exist within that labyrinth of legalese mumbo-jumbo which can affect the insurance you have purchased for your business. In this article, we’ll look at a few of these, particularly in the context of your cyber insurance policy.

BLT, Hold the Mayo

First, these contracts may require that you add another business to your insurance policy, otherwise known as an “additional insured.” This means that your new partner is able to enjoy coverage under your insurance policy, and at your cost (hint, insurers typically require additional premium for adding insureds to a policy).

Second, these contracts may also require that you hold certain minimum levels, or limits, of coverage. Beware these contracts may have varying minimum limits, which could affect the levels of insurance you purchase in order to stay compliant across all contracts.

Third, your contracts may also require different types of coverage. For example, one vendor may require that you carry commercial general liability and worker’s compensation insurance. Another may require you to carry cyber insurance. Yet another may require commercial auto liability coverage. Make sure you have all appropriate lines of coverage in place in order to stay compliant with your business partners.

Something About Making an Ass of U and Me . . .

In addition to adding businesses to your policy, as well as keeping minimum levels and types of coverage, these agreements may also require you to assume certain liabilities of your new business partners. This is especially true if you sell products online and will be taking confidential customer data and payment card information which could be stolen by bad guys.

To the extent your business partners could be blamed for such an event by their customers, clients or investigators, they may incorporate “tender of defense and indemnification” provisions into the contracts, effectively passing this responsibility to you. More specifically, if they are sued by their customers or clients or are investigated as a result of a cyberattack or data breach involving your system, they may be able to contractually force you to pay their costs of defense such as lawyer fees, settlements and judgments.

But what does this mean, and how does it affect you? Hopefully you have a cyber insurance program in place with first- and third-party coverage for cyberattacks or data breaches. As we discussed back in December, first-party cyber insurance can help with costs for recovering lost or damaged data, notifying customers, credit monitoring services and public relations, as well as lost business income from network interruption. Third-party cyber insurance covers legal defense costs in the event of lawsuits against your company for data breach, settlements and judgments, and regulatory fines and penalties. Things can change, however, if those legal defense costs come from your business partner tendering defense or requesting indemnification under the contract.

Cyber insurance policies generally exclude from coverage (i.e., insurers will not pay) liabilities assumed by contract, including those contracts you enter into with vendors and other business partners. Let’s say your company is the victim of cyberattack or data breach occurs and numerous records are compromised. A series of claims, lawsuits and investigations ensues. Several of your vendors wind up being sued and subsequently tender their defense and investigation costs to you under the respective contracts.

Under this scenario, you should be covered to the extent you undertake crisis response measures to minimize reputational harm to you and your vendors as a result of the cyber event. You should also be covered for lawsuits and investigations aimed directly at you. However, you may not be covered to the extent of your vendors’ tender of defense and indemnification costs, since those are assumed liabilities which are excluded under your cyber policy.

Make sure you review your contracts to determine what cyber-related liabilities you are assuming. To the extent possible, negotiate those contract provisions in advance with your business partners. Of course, success on this front may be dependent on bargaining leverage given the relative size of your company compared to your partner. In the alternative, consider having your insurance carrier create carve-outs for these contracts. There may be some additional premium paid, as the insurer will not want to undertake those risks without some cost for doing so. Then take a look at the adequacy of your limits and sub-limits of your full cyber coverage program, given the potentially catastrophic consequences of a cyber event.

Long story short, read and understand the agreements with your business partners, understand the liabilities you are assuming in those contracts, and then assess and react to the effects of those liabilities on your insurance program. As always, we're here to help