What’s in Your Cyber Policy?

min read

Want to learn more about cybersecurity and data breaches? Join the University Risk Management and Insurance Association (URMIA) for "Data Breach 201" [http://my.urmia.org/rmweek/todolist/friday2015] led by The Beazley Group's Sue Yi and Craig Linton. This free webinar is part of Risk Management Week [http://my.urmia.org/rmweek], a week dedicated to highlighting the importance of risk management on campus and helping risk managers spread the word about good risk management practices among their colleagues. Register for the webinar here [http://online.krm.com/iebms/reg/reg_p1_form.aspx?oc=10&ct=00298843&eventid=22990], and learn more about Risk Management Week [http://my.urmia.org/rmweek].

Missed a Risk Management Week webinar? Recordings will be posted on the RM Week website [http://my.urmia.org/rmweek] by November 20.

Thirteen Potential Shortcomings in Your Cyber Coverage

I recently met a colleague for coffee at Starbucks. When it comes to coffee, I’m a relatively simple guy: medium coffee, light with milk, two ice cubes, and one Splenda. So when my friend whipped through 8 options in the process of ordering a Cup-o-Joe, I had to smile at the elaborate decision-making tree that was required for what was supposed to be a mindless activity. No sooner did we sit down then he announced that his company had just purchased its first cyber breach insurance policy.

“What inspired them to finally make the long overdue decision,” I asked. Answer: A major competitor had been breached and management figures that their turn is coming soon. I asked my colleague about the decision making process that he used in purchasing the policy. My friend, the master of the decision-making tree, told me he turned the whole matter over to his broker. “The guy has more experience in it, and his company has more resources than we did.” He assured me that not only did the broker aggressively market the program; afterwards they gave him a full write-up to present to management. I sipped my coffee and declared, “too sweet!” I was referring to the fact that the barista put two packets of Splenda in my coffee instead of one.

I am not an expert in cyber breach coverage. While I do not have all the answers, I do have a whole bunch of questions that I know should be asked before and during the marketing phase:

1. What period does the policy cover? The breach that you discover today probably occurred as far back as a year or two ago. Maybe longer. You need to buy retroactive coverage to ensure that all occurrences are covered.

Mind the Gaps—Part One

There are several standard coverage gaps.

2. Will your directors and officers fall into the gap? If you do not address the issue, the answer is “Probably, yes.” Most directors and officers (D&O) liability insurance has a privacy exclusion, which means the loss of Personally Identifiable Information (PII) such as social security information, birth dates, and credit card info will not be covered by the D&O policy. While the cyber coverage is specifically designed to provide coverage for loss of PII, the standard cyber policy language that I have seen excludes acts of directors and officers.

3. Does your policy exclude liability for injuries rising from a breach of contract? Surprisingly, many cyber policies do. This creates a two-fold problem: first, any information that you’ve obtained pursuant to a contractual obligation probably will not be covered in the policy. Ask your broker and underwriter:

  • If you receive PII as part of a contract that later gets breached, would this event be covered?
  • Since the exclusion language may be extremely broad, would PII obtained to fulfill a contract such as customer credit card information be covered?
  • If you were required to carry cyber coverage as part of a contract and the party you contracted with has a breach, are you covered?

4. Does your policy cover actions from your vendors and contractors? Specifically ask whether your policy covers each of the following possibilities:

  • Intentional acts by employees of your vendor or contractor.
  • An attack staged by a third-party hacker on the vendor that compromises your PII.
  • An attack staged by a third-party hacker by using the vendor as a “watering hole” to get directly into your system.

5. Does your policy provide excess coverage with a drop-down provision? What happens if the contract requires that the other party obtain and maintain cyber coverage? If that party fails to obtain and maintain appropriate coverage (either the amount of coverage or the terms of coverage), will your policy pick up the coverage? This may be a good time to discuss the whole issue of additional insured coverage. Nowadays, more and more companies require their contractors to carry cyber insurance. While most will only do so if they are sharing PII or other critical information (which may not be covered anyway, see point 7), many are concerned that the contractor will become of the “watering hole” that will serve as a breach and therefore require it in all of their contracts.

6. Does it matter if the breach was the intentional act of your employee as opposed to the employee negligently leaving his or her computer on or leaving the password taped to the side of the monitor? Intentional acts by employees may be excluded.

Mind the Gaps—Part Two

Some gaps are created by a difference in the higher legal standard that appears in most cyber policies.

7. What is the triggering event for coverage under your cyber policy? Before there was cyber coverage, your errors and omissions (E&O) policies set the standard as merely having to demonstrate a claim arising out of an alleged error or omission. Your commercial general liability (CGL) insurance had a similar standard. Most standalone cyber policies require you to demonstrate that there has been a loss of PII. While the standard probably means that “the information was accessed without authorization,” this standard appears to require that you can demonstrate some harm right up front.

The Good News: No Gap. The Bad News: No Coverage.

8. What types of data losses or breaches are covered? The general answer is PII such as social security numbers, birth dates, addresses, driver’s license numbers, credit card numbers, PINs, medical records, school records, and the like are covered. That proprietary software that runs your chemical plant, your proprietary underwriting criteria, or hedge fund or stock broker algorithms probably are not. Find out if protected health information, distributed denial-of-service (DDoS) attacks, or the transmission of malicious code are covered in your policy.

9. Should I be concerned about that “standard” language about acts of war, acts of foreign enemies, hostilities, or warlike operations (whether declared or not)? Long before Google became the authority on absolutely everything, we turned to the Magic 8 Ball for answers to our toughest questions. Its Zen-like response to this question was, “Without a doubt.” You do not have to be Sony or a nuclear power plant or a financial institution to ponder this one. If your organization is involved in manufacturing, chemicals transportation, communications, medical, or educational activities, you are a prime target.

The Other Stuff

10. Should I agree to use the carrier’s list of attorneys and experts? Maybe yes, maybe no. To start with, the carrier will not deploy their resources until you file a claim. You may want to consult an attorney who specializes in cyber coverage before you file the claim to ensure that you are prepared for the questions that the carrier will ask. Your misstatement of information can result in a denial of coverage. (Don’t forget that you also may have an incredibly short window for providing notices). If your law firm has an attorney or department that specializes in cyber insurance and cyber breach issues, you may favor their involvement because they also know your organization.

Organizations rightfully worry if the forensic people brought in by the carrier are there to stop the bleeding or to help the carrier determine if the loss is covered, or both. Likewise, there can be an issue of allocating attorney’s fees between covered defense costs that are paid by the carrier, and non-covered defense costs that may be coming out of your pocket. This can get crazier if the coverage is spread out over multiple policies issued by multiple carriers.

On the other hand, when you accept the attorneys and forensic specialists provided by the carrier, you know you are getting people that have been vetted by the carrier and at a discounted price. When you think about it, do you want to shop for a forensic team – and then try to negotiate a discounted rate – when you’re in the midst of your crisis?

One possible solution is to discuss having your attorney added to the carrier’s approved list.

11. Do you have sufficient coverage? As a starting point, you should be aware that according to the Ponemon Institute study conducted for IBM in 2014,you can expect a cost of $201 per lost or stolen record containing sensitive or confidential information. In other words, a $5 million policy with no sub-limits will be exhausted with just 25,000 lost or stolen records. According to Rene Siemens and David Beck, attorneys with Pillsbury Winthrop Shaw Pittman LLP, if you become the target of a class action suit, don’t be surprised to see that amount increase by $1,000 per injured party. Make sure that any sub-limits will cover your anticipated exposure.

12. Coordinate your coverage. There may be overlapping coverage between your cyber, CGL, and E&O policies. With the help of your broker, determine if you have overlapping coverage. If so, work with the underwriters of all of the involved policies to establish which policy will be primary, secondary, etc. My preference is to have the cyber policy as primary so that the cyber breach mitigation team comes in with their experts to stop the bleeding and help you manage the data loss, the regulatory issues, and loss of loss of public confidence that is about to take control of your life.

13. Do I really need all of the coverage being offered? The example that is often used is business interruption coverage. Before you purchase this coverage, ask yourself–or better yet, ask your IT people–“under the worst scenario how long would you be down?” The waiting period may be so much longer than the time to get back up and running that this is not a worthwhile purchase. Check to see what other coverage is being offered. You may have it in your CGL.

Jeff Marshall is a risk manager blogging on behalf of the University Risk Management and Insurance Association (URMIA). You can reach him on LinkedIn.

© 2015 Jeff Marshall. This EDUCAUSE Review blog is licensed under the Creative Commons BY-NC-SA 4.0 International license.