Cyber Insurance Bespoke: Tips For Finding The Right Policy

By John Reed Stark*

(Excerpted from John Reed Stark's cybersecurity article series published by the NASDAQ Governance Clearinghouse)

The time is now for stand-alone cyber insurance.  The tensions between traditional insurance policies and data breach coverage have prompted the dawning of a new era of stand-alone “cyber insurance.” And this new era has only just begun. Global insurance broker Marsh LLC recently reported a 27% increase of stand-alone cyber insurance purchases by its U.S.-based clients in 2015, continuing a pattern of strong growth.

There are about 60 companies writing cyber insurance policies today, and the U.S. cyber insurance market is worth more than $3.25 billion in gross written premiums in 2016, according to the Insurance Information Institute. PWC recently predicated the market would reach $7.5 billion in premiums in 2020. Though not yet reaching other insurance categories such as commercial auto insurance ($25.8 billion in premiums a year) and worker compensation ($55 billion in premiums per year), cyber insurance market is growing rapidly.

Clearly, stand-alone cyber insurance will become yet another basic element of a company’s insurance coverage, just as property insurance and health insurance are.  Many companies might even find their customers demanding the carrying of cyber insurance as a matter of good business practice.  Here are three important reasons why:

1. Professional liability insurance, business interruption insurance, general liability insurance and property insurance might not cover many of the costs associated with cyber-attacks.  Unfortunately, companies are finding that their professional liability insurance, general liability insurance and property insurance might not cover many of the costs associated with cyber-attacks.  Despite at least one recent victory for the insured, embryonic case law (with very little appellate level authority) concerning insurance and data security incidents remains all over the map and evidences the uncertainty as to exactly what cyber-related incidents are covered by traditional insurance policies. Factors depend on the nature of the breach, the relationship of the parties, the type of the information at issue (such as personal information, intellectual property, trade secrets, and emails), the precise form of the operative policy and, if related to third-party liability claims, the allegations asserted and the type of damages sought.
2. Companies that maintain cyber insurance may have the best cyber security policies and practices.  Before obtaining cyber insurance coverage, a company typically undergoes a fairly rigorous underwriting process.  Just as the physical exam typically required by insurance companies before issuing life insurance can prompt better personal wellness practices, a cyber insurance exam can prompt better company cybersecurity wellness.  Relatedly, while it has been suggested that having insurance encourages companies to slack off on security, some research suggests the opposite, i.e., that those companies with good cybersecurity practices are more likely to purchase insurance. 
3. Companies falling victim to a cyber-attack should not expect any assistance or even compassion from the government.  In fact, companies should expect quite the opposite for several reasons, including:

• The U.S. government is overwhelmed with protecting the nation’s own infrastructure and does not have a SWAT or other rescue team standing by to assist U.S. companies after a cyber-attack;
• While it may seem counterintuitive, state and federal agencies often pursue cyber-attack victims not with a helping hand, but instead with subpoenas, enforcement actions and an onslaught of lawsuits.  Furthermore, state privacy statutory regimes and a growing range of federal agencies each wield their own unique set of rules, regulations, statutes and enforcement tools; and
• The public’s (and Congress’) perception of cyber-attack victims has sadly become not one of understanding or empathy, but rather one of suspicion, skepticism and even vilification.

The Current Cyber-Attack Wave.  Meanwhile, the complexity, sophistication and variety of a new wave of cyber-attacks continue to swell.  So-called “hacking” is dying from the cyber lexicon along with the historically simplistic and naïve image of mischievous teenagers wreaking havoc from a server in their parents’ basement.  What has appropriated these now-antiquated notions are a litany of new-fangled cyber-attack root causes with dramatically expanding attack vectors, including: denial of service assaults; malware intrusions; advanced persistent threat (or “APT”) terrorist acts; rogue employee and “bad leaver” episodes; social media exploits; mobile device attacks; ransomware demands; cloud computing infiltrations; and human error events.

How can an insurance company possibly organize and mitigate such a dynamic and ever-changing array of risks into a cohesive, logical and effective cyber insurance policy? Gauging a company’s security posture has turned out to be a much more manifold endeavor than anything the insurance industry has mastered before, such as assessing human life expectancy or driving records.  Even the U.S. Department of Homeland Security officially has acknowledged that the cyber insurance market remains confusing for most companies and can be overlooked for all of the wrong reasons, stating in a recent report:

“Cybersecurity insurance is designed to mitigate losses from a variety of cyber incidents, including data breaches, business interruption, and network damage.  A robust cybersecurity insurance market could help reduce the number of successful cyber-attacks by: (1) promoting the adoption of preventative measures in return for more coverage; and (2) encouraging the implementation of best practices by basing premiums on an insured’s level of self-protection.  Many companies forego available policies, however, citing as rationales the perceived high cost of those policies, confusion about what they cover, and uncertainty that their organizations will suffer a cyber attack.”

So it seems that for today’s risk-averse companies, the best way to gain insight into the question of cyber insurance is not only by understanding the growing and complicated hazard of cyber-attacks, but also by obtaining a stand-alone cyber insurance policy that contemplates carefully the workflow that typically occurs during their aftermath.

How to Find the Right Policy. Traditionally, purchasing insurance coverage begins with a policy review, a risk breakdown and a range of other risk-related analytics. However, when contemplating a cyber insurance policy, companies should initiate more of a “reverse-gap” approach toward that calculus, analyzing and scrutinizing the typical cyber-incident response workflow that follows most cyber-attacks.

By analyzing and revisiting the realities and economics of this workflow, a company can then collaborate with its insurance sales representatives and originators to allocate risk responsibly and determine, before any cyber-attack occurs, which workflow costs will trigger coverage; which workflow costs will be outside of coverage; and which workflow costs might be uninsurable.

It also is crucial that companies conduct the necessary due diligence to be sure that their cyber insurance carrier has a good claims-paying and claims-handling history and has a proven record of rapid and supportive response.  When a cyber-attack occurs, too often there are doubts as to coverage, which can affect incident response.

Cyber insurance policies can also differ dramatically in their goals and objectives. For example, some policies are designed to cover HIPAA and PCI violations, as well as other regulatory noncompliance, while other policies are geared more for direct financial losses due to wire transfer fraud. For instance, if a company manages trust accounts on behalf of customers, the company likely will require insurance coverage for direct cash losses in the event of a network intrusion that results in the unlawful transfer of funds.

Cyber insurance policy premiums are “not one size fits all,” as premiums are factored on a company’s industry, services, data risks and exposures, computer and network security, privacy policies and procedures and annual gross revenue. At present, there are 70 or so insurance carriers writing cyber insurance policies, and nearly all of those policies are issued on a surplus lines basis with potentially significant differences in policy wording from one cyber policy to the next.

Watch Out for Exclusions. Just like traditional insurance policies, cyber insurance policies can contain a broad range of potentially troubling exclusions. Agreement on the wording and scope is a critical aspect of the negotiation process. Given the dearth of case law on cyber insurance exclusions, policyholders unfortunately lack the benefit of precedent when assessing the boundaries of coverage. Some examples of cyber insurance battleground issues concerning exclusions for significant expenses are:

• Failure to Follow Minimum Required Practices. The first question after any data breach, posed by many interested constituencies (including customers, partners, employees, regulators and class action attorneys), is whether the cyber-attack occurred because of some sort of cybersecurity failure. However, despite the popularity of the Framework for Improving Critical Infrastructure Cybersecurity , released by the National Institute of Standards and Technology (NIST), no codified or judicially concocted cybersecurity standard exists. Hence, the adequacy of a company’s cybersecurity defenses is always a subjective determination and often involves “looking back” to cybersecurity technology used by a company at the time of the actual breach and assessing its adequacy. This sort of second-guessing and 20-20 hindsight can provide useful fodder for insurance companies seeking to avoid paying a claim. Along these lines, when a policyholder fails to “continuously implement” the security procedures and risk controls that it identified in its insurance application, an insurance company may argue the triggering of a “reps and warranties” exclusion.
• Act of War/Terrorism. Many cyber insurance policies contain exclusions for terrorism, “hostilities (whether war is declared or not)” and claims arising from “acts of foreign enemies.” In a car insurance or homeowner policy, an exclusion for acts of terror or foreign enemies may not seem important – or even relevant to any decision. But for cyber risk policies, these exclusions could pose a real problem. After discovery of a cyber-attack, digital forensic specialists and malware reverse engineers often will be asked to theorize as to the identity of a particular perpetrator of a cyber-attack, or even to construct a profile of the intruder. Sometimes, among the fragments, remnants and artifacts found in a laptop or server (including within deleted recoverable files, unallocated and slack space or the boot sector), evidence may point to a particular attacker or “cyber-gang,” and a data security incident may be deemed an act of state-sponsored terrorism. But these conclusions can be speculative and are only as good as the reputation and experience of the incident response team. Nonetheless, if, for example, a digital forensic specialist labels an APT attack as an act of terror, such labeling could trigger an “act of terror” exclusion. This question may be especially germane if the policyholder is in a key infrastructure industry, defense industry or technology sector.
• Third-Party Acts or Omissions. The third-party vendor sector has become one of the more prevalent attack vectors in recent cyber-attacks, yet some cyber policies might not cover acts and omissions by third parties or data in the custody of third parties. Nowadays, cyber-attacks also often result in disputes as to the culpability for an attack, with vendors and companies each pointing the finger at one another for their perceived respective cybersecurity failures. When a dispute arises between a company and its vendor with respect to culpability for a cyber-attack, an insurance company may wait until the dispute is resolved, because the outcome could trigger a “third-party act or omission” exclusion.
• Unauthorized Collection of Customer Data. Some cyber insurance policies contain exclusions for losses related to data collections, which were not authorized. Policyholders that gather information for consumer transactions, marketing purposes or as part of their core business model must gauge how an insurance company might use an exclusion for unauthorized collection to evade insurance coverage for a data security breach claim, especially if the policyholder is not meticulous about what data it collects; where data is warehoused; and how data is transferred.
• Retroactive Dates. Many polices include some sort of “retroactive date", which disclaims coverage for claims or loss in connection with breaches that occur prior to that date. However, when a company discovers a breach or is notified about a breach (e.g. by the U.S. Air Force or FBI, which is very often the case), the company typically discovers that the breach originally occurred long before (months, sometimes even years) If the retroactive date is relatively recent in time (perhaps even the date of policy inception), there is a risk of losing coverage for earlier-occurring breaches. Policy holders should carefully evaluate retroactive coverage options pertaining to undiscovered breaches occurring earlier in time.

Documentation.   Given that cyber insurance is only in its infancy, claims against such policies will have a higher rate of litigation than other more established insurance products. Thus, when a cyber-attack victim company has its first conference call with its insurance company adjuster, the adjuster might also add the insurance company’s litigator to the meeting. The litigator undoubtedly will follow up the call by sending a detailed letter of inquiry to the victim company, which will be more akin to a lengthy and comprehensive litigation discovery demand, rather than a simple request for information.

Whatever the type of cyber insurance held by a victim company, insurance adjusters will scrutinize all invoices pertaining to the data breach response workflow, requiring briefings and documentation regarding all investigative efforts. Along these lines, communication lines also should be established where a professional on the incident response team, preferably counsel, maintains carefully written documentation of all the response efforts. This helps later on when gathering the “documentation package” to present when seeking insurance reimbursement for the costs of the breach.

Digital Forensic “Panels”.   When negotiating for cyber insurance, some insurance policies will seek provisions mandating use of a specific “panel of digital forensic experts” (even if the victim company already has a prior existing relationship with a particular digital forensic firm). Companies should check carefully on the existence of that kind of provision; much like choosing one’s own surgeon for a heart procedure, a company will want freedom of choice when it comes to selecting a digital forensics/data breach response firm.

Final Thoughts.   Just like other kinds of insurance, cyber coverage by itself will rarely be enough to make a company whole after a cyber-attack, but it can provide critical financial resources.  Moreover, when coupled with a thoughtful and diligent incident response, a sound cyber insurance policy can send a powerful message of strong business acumen; fierce customer dedication; and steadfast corporate governance, demonstrating profound expertise to the marketplace, shareholders, regulators and the many other interested corporate stakeholders.

To get the most out of cyber coverage, companies should work closely with their brokers, their insurers, their outside counsel and their own internal experts and executives to fully understand their particular cyber risks. For now, the most effective cyber insurance policies are bespoke, and given the rapidly evolving nature of cyber-attacks, will continue to require custom-tailored fitting for quite some time.  Remember the suits donned by Frank Sinatra, Dean Martin, Sammy Davis, Jr. and the rest in the iconic 1960 film Oceans 11?  Those suits don't look dapper and debonair by accident -- they are custom made and meticulously presented.  When planning for a heist (or dressing for a heist), everything must be perfect.  The same goes for procuring the right cyber insurance policy, every detail matters.

 *John Reed Stark Consulting LLC, a data breach response and digital compliance firm.  Formerly, Mr. Stark served for almost 20 years in the Enforcement Division of the U.S. Securities and Exchange Commission, the last 11 of which as Chief of its Office of Internet Enforcement.  He also worked for 15 years as an Adjunct Professor of Law at the Georgetown University Law Center, where he taught several courses on the juxtaposition of law, technology and crime, and for five years as managing director of a global data breach response firm, including three years heading its Washington, D.C. office.  Mr. Stark is the author of, "The Cybersecurity Due Diligence Handbook," available as an eBook on Amazon, iBooks and other booksellers