Cyber Insurance

You Had a Cyber Incident – Will Your Cyber Insurance Pay?

We all hope that we will never have to file an insurance claim, and, if filed, our claim will not be rejected. The ever expanding cyber threat landscape calls these two tenets into question. Will your cyber insurance pay your claim?

Cyber insurance has evolved from being implicitly covered under General Liability / GL to a completely separate and highly nuanced policy. It is critical to understand the coverage scope and its covenants.

In the face of law suits, insurers have been under pressure to provide more clarity about what, if any, cyber risks may be covered or excluded under a GL policy. Insurers and brokers are now more likely to steer customers to specialized cyber insurance policies that address the unique exposures associated with cyber events.

The cyber insurance itself has been a rapidly evolving field struggling to keep up with the advancing cyber threat landscape. “Chasing” the latest cyber threats in a policy which is in place for one year appears to be a losing proposition. This inability to keep up with malicious actors is being addressed by an increased focus on the insurable cyber incident’s operational impact, subject to exclusions and conditions.

It is the insurance policy’s covenants – the insured’s obligations under the policy - that are often overlooked. Simply speaking, if the insured fails to meet the coverage requirements, the insurer has the right to reject future claims. The covenants sections of cyber coverage have expanded and cover security monitoring, log collection, access control, regular comprehensive assessments, etc. In addition, cyber polices now include expanded reporting requirements and call for an ongoing dialogue between insurers and insured.

The seemingly bespoke nature of today’s cyber coverage does open a door to negotiating a custom policy which may result in a lower price in exchange for fewer controls and a limited coverage. This tradeoff, however, needs to be evaluated and quantified.

To minimize the possibility of a non-covered cyber incident it pays to understand your cyber coverage requirements and include them in every security evaluation. If a requirement is not met, it is important to agree with your insurer on the time to cure the deficiency. Failure to meet these requirements may render your cyber policy worthless.