As remote working has increased, so have cyber threats on the equipment we use. Personal devices and home Wi-Fi don’t have the same level of protection as office-based systems with built-in security functions.
Many business owners worry about ransomware attacks, malware and phishing. So what can you do?
Businesses can indemnify themselves against losses sustained due to cyber incidents by acquiring cyber insurance. Insurance covers losses relating to damage to, or loss of information from, impairment of IT systems and networks.
When buying cyber insurance, you should carefully consider the scope and amount of cover, as well as their other security measures.
How do you get specific cyber cover?
It’s unlikely your existing insurance will cover the full range of cyber risks, which are broad, and ever expanding. Standard insurance policies often contain exclusions relating to cyber losses.
For example, in the ongoing Mondelez v Zurich case, Mondelez International, Inc. brought a claim against Zurich American Insurance Co. for refusing to pay out on a claim for losses sustained due to the 2017 NotPetya cyber-attack.
When purchasing cyber coverage, you should remember:
- To scrutinise the drafting of the policy and the exclusions from an information security perspective.
- The more you can negotiate to narrow the exclusions, the more likely you can make a successful policy claim.
- During negotiations, it is crucial to understand the insurer’s standpoint on what its drafting covers as well as changing the clauses.
- Once you understand how the insurer interprets its drafting and what it is happy to pay out on, you can ascertain whether this is appropriate to your business, or not.
What about the scope of cover?
When deciding which cyber cover to purchase, begin by listing the cyber risks that the company may face. Examples include:
- Property damage,
- Business interruption,
- Reputational damage,
- Cyber extortion,
- Loss of data or intellectual property, and
- Regulatory penalties and investigations.
Consider whether you require insurance against both first-party and third-party cyber risks. Unlike more traditional lines of insurance, cyber insurance can vary significantly in scope between different insurers and different policy forms. Standard form policies are very uncommon, and many clauses have yet to be tested in courts.
A few notable trends have appeared in the market, for example, cover rarely extends to regulatory fines. Most insurance policies will provide cyber cover for a company’s computer networks and systems. The definitions do not always extend to cloud-based services that may be used.
- Where you have a specific expectation of scope of coverage, this should be discussed with the insurer.
- You must confirm that they will provide this coverage and that the policy you are purchasing provides it.
- Maintaining clear records of these discussions is important and may assist you to refute any future counterclaim by an insurer who does not want to pay out on your claim.
Will the cover have a limit?
Often cyber insurance contains aggregate annual limits on cover, and policies can contain sub-limits on specific covers. Sub-limits are lower than the overall aggregate limit, e.g. the costs of replacing IT systems might have a specific cap that is only a fraction of the aggregate limit on cover under the policy.
Make sure you check that policy pay-outs are large enough to be helpful to your company.
What about security measures?
Having good safeguards against cyber risks can reduce the cost of premiums. The onus is on the insured party to keep details of their cyber security safeguards, plans and policies.
The policy holder will usually have a duty to inform the insurance company about any change to their cyber security measures under their policy agreement. The insurance company may not be obliged to pay out on a claim if the information provided about the safeguards in place are inaccurate.
Insurance coverage is one part of an arsenal against cyber risk, alongside cyber security and risk management. There are several pitfalls to avoid during the purchase of cyber insurance, and it remains to be seen how policies will adapt now most employees will be working remotely more in the future. It is worth keeping an eye on any policy renewals to ensure that new exceptions have not been added.
When purchasing a policy, you will need to carefully consider the scope and amount of cover on offer, the specific drafting of any exception, as well as ensuring your security measures are up to standard.
Key takeaway: Is cyber insurance worth it? The short answer is yes. The immediate costs of a data breach can be significant, but the dormant costs can be devastating for growing companies. We recommend seeking legal advice to make sure you get the right policy for your business.
To discuss your cyber insurance requirements, please contact Stephanie Lopes and Simi Khagram.