As companies recognise that cyber risk cannot be eliminated, only managed, they are increasingly looking to transfer residual cyber risks through insurance. Still, many small and midsize businesses are going without cyber coverage, perhaps because of confusion about how to get the right policy.
Despite the undeniable challenges presented by today’s cyber insurance market, businesses of all sizes can cut through the confusion and obtain the right cyber insurance for their enterprise by following this five step process:
Step 1: Identify cyber risks
The first step in the process is to assess the entity’s exposure to cyber perils. Not every company is the same, and the cybersecurity and privacy risks facing an online retailer, for example, would be different from those facing a consulting company.
Companies should take an enterprise-wide approach to this step to ensure that the risks facing all divisions within the business are incorporated into the assessment. Multiple stakeholders within the organization, and potentially some from outside of the organization (technology vendors, for example), should be consulted.
Step 2: Examine existing coverage
Next, companies should carefully examine their existing insurance policies to determine how their current coverages match up with the cyber risks that have identified in Step 1. Traditional property and liability policies, as well as crime and kidnap and ransom policies, can contain some protection against cyber risks.
That said, many insurers have taken steps to exclude cyber-related risks under traditional policies and are vigorously fighting cyber claims under these non-cyber forms. Although some businesses have successfully recovered for cyber claims under such policies, relying on them for comprehensive cyber coverage is risky.
It’s important to note, however, that express cyber coverage may be included by endorsement to a traditional policy. Because redundancies in coverage can create coverage issues in the event of a claim, companies should take steps to identify any such coverages before buying a cyber policy and reconcile their existing coverage with the cyber form.
Step 3: Applying for cyber coverage
Although there is no standard application for cyber insurance, insurers usually ask for similar types of information from the prospective insured. Insurers will inquire as to the company’s policies and practices around cybersecurity, data handling, usage, and storage, vendor management and privacy. Companies likely will have to involve a number of stakeholders, including outside service providers, when responding to application questions.
Care should be taken to accurately complete the application, which will become part of the policy if one is issued. It’s critically important to seek clarification before responding to any ambiguous or unclear questions.
Applications may require the signature of the company’s president, CEO and/or CIO, who must attest to the accuracy of the company’s responses. Inaccurate information provided in the application may jeopardize coverage if a claim is later tendered under the policy.
Step 4: Finding the right cover in today’s dynamic cyber insurance market
Next, companies should find a policy that covers the risks identified in Step 1. But because there is no standard cyber insurance policy form — and all policies are not created equal — care must be taken to carefully review the terms of any prospective policy to make sure it’s a good fit for the company’s needs.
Additional factors to consider include the insurer’s reputation for handling and paying claims and whether it provides free or discounted cyber risk mitigation services (such as risk assessments, training, and incident response training). Purchasing decisions made strictly on price may ultimately prove to be much more costly.
Although today’s dynamic cyber insurance market creates challenges for insurance buyers, it also provides an opportunity to negotiate for better policy terms and coverage tailored to the company’s unique cyber needs. Companies should exercise their leverage during the insurance buying process to get the best possible coverage.
Step 5: Post-coverage considerations
Once coverage is in place, the insured should take steps to understand and operationalise the various requirements and policy conditions with which it must comply. For example, the policy may require the insured to get the insurer’s prior written consent before paying a ransomware demand or hiring a consultant after a data breach. The processes mandated by the policy in the event of a claim also must be understood.
In addition, it’s a good practice to periodically monitor and evaluate coverage in light of evolving business needs, such as merger and acquisition activity. The insured also should keep an eye on the changing cyber threat landscape to ensure that its coverage remains adequate. New coverages offered by insurers also should be monitored.