Managing Cyber Insurance Through Preventive Law: A Case Study

Rivermark Community CU now enjoys more informed decision-making when transferring cyber risks to its insurers.

Source: Shutterstock

Sit down and take a close look at your business insurance policies, if you dare. You will find a labyrinth of legalese forms understandable primarily by lawyers (and even then, not always).

For purposes of transparency, I am a lawyer and have been guilty of drafting and negotiating complex contracts incorporating this awful language that rightly stereotypes us. The reason for this probably begins with the bloodless lobotomy that is called law school. During these three years, we endured a re-education leading to the magical ability to conceive of every possible outcome to a situation that could lead to loss. This ability was sharpened after clients began hiring us to prepare or revise contracts in order to help them get the best of the deal with their counterparts.

So, it should be no surprise that insurers have teams of lawyers utilizing myriad data points to craft behemoth contracts that are one-sided and often confusing to the lay reader. This is especially true with cyber insurance, which is still in “Wild West” stages as far as product offerings and coverage positions.

Worse yet, insurers often scour policies seeking ways to deny coverage in the event massive losses occur. Just ask Mondelez International and Merck, who are both embroiled in high-stakes litigation involving their respective insurers’ denial of coverage following the notorious NotPetya ransomware attack. Believe me, I know how this works . . . I used to be in-house counsel with a large insurer early in my practice and was regularly tasked with finding “opportunities for coverage reconsideration.”

Credit unions are increasingly becoming more aware of the importance of having some level of cyber insurance in place, as financial institutions are often prime targets for attacks given the number of confidential records maintained. Surprisingly, only a relative handful are taking the additional steps to understand what specific coverage and exclusions exist in their policies. Failing to do so could mean putting a bandage on a bullet wound in the event of a cyberattack or data breach . . . or worse yet, being blindsided by a denial.

Here’s the story of one credit union that’s ahead of the curve on this front.

Wouldn’t You Prefer a Nice Game of Chess?

I first met Seth Schaefer, president/CEO of Rivermark Community Credit Union ($869 million, Beaverton, Ore.), during a cybersecurity awareness and prevention breakfast. It was a great opportunity for chief executives in the region to learn about cyber risk mitigation techniques, including preventive law pillars such as contract negotiation and insurance management.

I then noticed Seth again in the audience a few weeks later during another panel discussion on proactively addressing cyber risks. It was clear he was interested in this subject, so we met for a coffee. Seth mentioned that Rivermark was renewing its insurance policies in a few months and interested in exploring whether the cyber insurance coverage had any gaps, exclusions or other issues that could blindside them in the event of a cyberattack or data breach.

Seth engaged us to do an analysis of the expiring insurance program through the lens of cyber coverage, and report back on issues and opportunities to discuss with the broker. Business decisions could then be made as to whether additional cyber coverage was indicated, compared to mitigating certain risks through developing and implementing internal policies.

After receiving copies of the relevant insurance policies, we went to work.

The Big Print Giveth, and the Fine Print Taketh Away

We began the process by conducting a thorough review of the insurance policies. What we uncovered was not atypical from the vast majority of businesses we work with: First, inadequate limits and sub-limits of coverage; second, unexpected gaps and exclusions; and third, overbroad, vague, ambiguous and generally confusing language. We summarized all of the issues with the cyber coverage in a comprehensive report, prepared a one-page list of triaged to-do items, and then met with the Rivermark team to share our findings and discuss next steps.

In order to have a productive initial meeting to relay cyber coverage findings, Seth astutely gathered a cross-discipline team including Rivermark’s information technology and security directors, as well as its risk and insurance directors. Such diverse participation not only reinforced the importance of this issue as an enterprise-wide concern, but further ensured closure of potential business system gaps in addressing the concern with appropriate accountability.

Over the course of two hours, we proceeded step by step through the report to make sure there was a shared understanding of the insurance-related concerns. Generally, the main takeaway from meetings like this is to help credit unions know what they didn’t know before, in turn laying the groundwork for strategic decision-making, and this meeting was no different.

We leveraged the information technology and security managers’ expertise to discuss and explore internal strategies that could be implemented to enhance data protection and at the same time reduce insurance-related costs. Consideration was also given to third-party experts specializing in audit and compliance processes to fill in the blanks.

You Take the Red Pill, You Stay in Wonderland

Since fixing many of these cyber coverage issues involved procuring additional coverage – which often means significant additional premium dollars – I was further deployed to share the findings with Rivermark’s insurance broker. This served the dual purpose of determining the cost of remedying risk transfer issues, as well as ascertaining the broker’s level of sophistication in the burgeoning cyber arena.

A brokerage firm with a well-developed cyber practice should be able to provide effective access to the market. With numerous cyber insurance carriers offering standalone policies, and the cyber landscape still largely underdeveloped among varying policies, there are ample opportunities to identify brokers who can work with your company to access appropriately-capitalized insurers.

A firm with an established cyber presence should also have relationships with underwriters who can provide guidance on strategies to reduce costly premiums across multiple prospective carriers. So, to the extent Rivermark developed and implemented enhanced cybersecurity and data protection policies, there should naturally be premium savings for doing so.

The Squeaky Wheel Gets the Grease

With that backdrop, the following week, I reached out to the broker to relay the findings and action items. Fortunately, Rivermark’s broker was both seasoned and responsive. He understood the key issues uncovered, took copious notes and relayed these concerns to both the existing insurance carrier as well as the marketplace.

He then worked directly with Rivermark’s insurance manager to ensure that the issues were buttoned-up as much as commercially feasible. With several weeks still remaining until renewal, Rivermark was able to begin implementing its internal policies, ensuring enhanced protection of confidential records and realizing further opportunities for premium savings in the process.

These communications resulted in improved transparency in the insurance procurement process, and in turn improved broker-client relations. Ultimately, through Seth’s overall proactive approach, Rivermark enjoyed more informed decision-making when transferring cyber risks to its insurers.

I’d say it was a win-win for everyone involved.

Chris Keefer

Chris Keefer is the principal of Keefer Strategy, a preventive law practice in Portland, Ore.