The Magic 8 Ball: Clarifying Uncertainty in Your Cyber Insurance Policy
Learn eight items to look for, plus strategies to implement, to help ensure your policy is working for your CU.
One doesn’t need to ask a Magic 8 Ball whether cybersecurity is a major risk facing businesses today. The answer is obvious: “It is decidedly so.” In addition to having good cybersecurity practices in place (hint: memorialized in written policies with regular and meaningful training), it is likewise important to have adequate cyber insurance in the event of a cyberattack or data breach. While this seems rather obvious, you may not be certain what those policies specifically cover.
As a general matter, first-party cyber insurance typically covers direct damages incurred following a cyber event, such as costs of recovering lost or damaged data, notifying members of the event, providing credit monitoring services and business income loss. Third-party cyber insurance, on the other hand, typically covers legal defense costs, settlements and judgments, and regulatory fines and penalties that may result from such an event.
Like any other insurance policy, your cyber policy will contain a labyrinth of vague and confusing language as well as gaps and exclusions that could blindside you. Below are eight items you should look for, along with some strategies you can implement, which will help ensure your cyber policy is actually working for your credit union following a cyber event.
1. Adequate Limits & Sub-limits
According to the 2019 Cost of a Data Breach Report, conducted by the Ponemon Institute and sponsored by IBM Security, the average cost of a data breach in the United States was $8.19 million (or $242 per compromised record). To determine your own exposure, audit the number of research and development records, employee information, business-to-business and individual member data, and other confidential records and information that could potentially be damaged or stolen.
Next, go back to your cyber insurance policy and determine whether the aggregate policy limit and sub-limits of coverage adequately protect this exposure. Keep in mind sub-limits are part of and not in addition to your aggregate limit. Your aggregate policy limit is the absolute most an insurance company will pay in the event of a breach, and these sub-limits could dramatically erode this overall limit.
For example, you may have sub-limits in place for items such as computer forensics costs, crisis management and public relations costs, member notification costs, and regulatory fines or penalties. Each of these on its own could significantly eat away at your overall limit, requiring additional coverage to avoid major out-of-pocket losses.
2. Business Interruption Coverage
Loss of business income due to a cyber event causing network systems to shut down can be a huge component of loss following such an event. These business interruption losses are often subject to sub-limits under your cyber policy. As part of the cyber audit discussed above, evaluate the total exposure of your potential business interruption losses to determine whether this component of coverage is adequate.
Of course, there may be further sub-limits within this business interruption sub-limit, specifically the waiting period (the amount of time you have to wait before this coverage begins) and period of restoration (how long it takes before your systems are returned to normal). You will only be able to recover business income loss within that window, so make sure each one of those is adequate as well.
In order to further reduce exposure to business interruption loss, consider contingency planning to the extent information and data is stored in physical servers, including cloud-based back-up options.
3. Coverage for Fines and Penalties
Under law, companies are legally required to comply with data protection and breach notification standards, subject to penalties and fines. These include the Sarbanes-Oxley Act, Gramm-Leach-Bliley Act, PCI Data Security Standards, HITECH Act, SEC Guidance, FTC Act, Fair Credit Reporting Act, Executive Order 13636, laws in all 50 states plus the District of Columbia, Puerto Rico and Guam, and International laws (e.g., EU, Asia, South America, Middle East).
As an example, last year Equifax agreed to pay at least $575 million in settlement of fines and penalties with the FTC, CFPB, and all 50 states and territories over its “failure to take reasonable steps to secure its network.”
These fines and penalties can result in massive exposure from a cyber event, and your cyber policy may limit or exclude these. Make sure this coverage is in place, and further make sure you have written policies and procedures in place – along with regular and meaningful training – to ensure reasonable compliance with data protection and notification (hint: this should also minimize overall premium costs).
4. Contract Exclusion
Most cyber insurance policies will exclude coverage for claims that are based on your assumption of liabilities under contracts.
Let’s say a cyberattack or data breach occurs and numerous records of third parties, that are maintained by your credit union, are compromised. A series of lawsuits ensues with numerous theories of recovery asserted, including claims that you had contractually assumed the obligation to safeguard confidential information maintained on your systems. Given the contract exclusion, these claims would not be covered.
First and foremost, make sure you are not assuming impossible or impractical cybersecurity requirements in your contracts that could result in unnecessary exposure. Also look at the reasonableness of the indemnification and insurance language in those contracts. Once those are squared away, consider opportunities for “insured contract” coverage for those instances where you made a business decision to indemnify certain clients for these losses.
5. State-Sponsored Acts Exclusion
Many cyber insurance policies exclude claims that are based on actions authorized or supported by foreign authorities. Given how broadly these exclusions are typically written, every otherwise covered cyber event alleged to be supported in some way, shape or form by a foreign government could potentially be excluded from coverage.
According to a 2018 study by Carbon Black, a global cybersecurity vendor, 41% of its investigations involved events originating in either China or Russia, with numerous of the remaining attacks coming from Iran, North Korea, Pakistan and Vietnam. These are countries in which an insurer could argue cyber events presumptively involve action by a government authority and therefore are excluded under your cyber insurance policy.
Using examples like the NotPetya and WannaCry ransomware attacks and the Marriott data breach (attributed to Russia, North Korea and China, respectively), test your insurer as to whether scenarios like this would be covered. If not, then consider coverage endorsements – or alternative insurance carriers entirely – to proactively address these massive uncertainties.
6. Prior Acts Coverage (Retroactive Date)
Let’s say you had cyber insurance in place for policy year Jan. 1, 2019 to Jan. 1, 2020. You received a call in October 2019 from law enforcement warning that your systems had been breached. Upon further investigation, you learned the beach resulted from an officer clicking on a link in December 2018 and giving a password to a hacker claiming to be someone from your IT department.
Since the original breach event occurred in December 2018, which preceded the Jan. 1, 2019 policy inception date, losses may not have been covered unless you had “prior acts coverage” in your policy with a retroactive date prior to December 2018. As the Capital One cyber event showed, hackers can reside on systems for months if not years, so it is always best to have retroactive dates as far back as commercially feasible.
As part of your robust cyber audit, explore appropriate retroactive dates, and certainly make sure those are specifically identified in your insurance policy prior to a claim occurring.
7. Losses Prior to a Cyber Event
Most cyber insurance policies only provide coverage in the event of an actual infringement, defamation, privacy violation, security breach or disclosure of personal information. However, there are cases that have been filed against organizations despite the occurrence of an actual cyber event.
In one such case out of the Northern District of Illinois, Jason Shore and Coinabul, LLC v. Johnson & Bell, Ltd., a law firm’s clients had learned about its data security flaws, exploitable out-of-date software and vulnerable VPN and email systems. A class action was then instituted against the firm as a result of the flaws and failure to properly secure client data which “subjected the plaintiffs to an increased risk of injuries.”
There had been no actual intrusion, data exposure or data misuse in this case. Notwithstanding, the firm was required to expend significant funds defending against these claims. Consider options with your carrier to explore coverage for scenarios like this. Keep in mind, the contract exclusion issues mentioned above may also come into play depending on the liabilities you are assuming in writing for your clients or members.
8. Overlapping Provisions
Certain items coverage offered in your stand-alone cyber insurance policy may also be covered in your other insurance policies. For example: Business interruption coverage may also exist in your property policy, privacy-based claims may also be covered in your commercial general liability policy, employee negligence in causing a breach may also be covered in your professional liability (E&O) policy, and computer fraud may also be covered under your crime policy.
If these overlaps exist (hint: they most likely will if your insurance policies are through different carriers), then you may discover issues with “other insurance” provisions in the event of a cyber event. Pay close attention, as some insurers will apply insurance excess to a competing policy, some will pay a subjectively-determined pro-rata share, and others may even exclude coverage when competing insurance exists.
Ultimately, you could wind up with two insurers pointing fingers at each other to determine which is responsible for covering losses from a cyber event (while you wait for that much-needed coverage). It is important to clarify with insurers the interplay between them under scenarios like this, and certainly before a claim occurs.
Determine whether any (or all) of the eight items above exist in your cyber insurance policy and then implement strategies around them. Being proactive on this front can uncover and remedy areas of exposure before a potentially catastrophic cyberattack or data breach occurs. All of this ensures you won’t need to shake the Magic 8 Ball to find out whether you have coverage for such an event … you’ll already know.
Chris Keefer is the principal of Keefer Strategy, a preventive law practice based in Portland, Ore.