Every cyber or data loss incident is different in nature, and some require more action than others. Incidents that pose the potential of serious risk or harm through lost or compromised data can have a very real impact on an organisation, including significant financial implications and damage to brand and market reputation.
Every Organisation is different in how they operate, with each having their own unique IT and Cyber Risk profiles, therefore making the decision around what IT Insurance coverage to meet these needs extremely complex process.
Understanding existing insurance cover will enable organisations to make informed decisions about risk transference and determine which cyber liability insurance product best suits their organisational risk profile and needs. For example, your organisation’s existing insurance policies may provide some protection from cyber risks or data loss but how much?
It is also essential to understand how your existing policies interact with each other, as in the event of a claim you are required to advise your insurer of other policies that may provide cover.
However, cyber insurance policy selection cannot be done without firstly fully understanding your Cyber Risks position. For example,
1. Business insurance policies (business property)
Standard business insurance policies only cover tangible assets, such as building and contents. Electronic data is not generally considered a tangible asset under standard business insurance policy definitions. Some policies may include an extension to cover some ‘loss of data’, but generally also apply sub-limits that are typically too low to properly compensate for the loss or pay for the restoration of data.
2. Public and products liability insurance policies (sometimes referred to as general liability)
This type of insurance may form part of a business insurance policy (including covering buildings and contents), or could be a stand-alone policy. Unless specifically endorsed, this policy will generally exclude personal injury or property damage arising from your online operations, and property damage to electronic data, computer programs or storage media
3. Professional indemnity
Professional indemnity policies may offer some cover, but this will depend on the specific policy wording, definitions and exclusions. Note that some professional indemnity policies exclude cyber crime.
Cover will generally only relate to third-party losses, such as claims for compensation and damages. These third-party losses may be limited to exclude certain events, such as transmission of a virus through your computer system to a third party.
It’s unlikely your professional indemnity policy will cover first-party losses to your business, such as data rectification costs, breach notification costs to your clients and customers, breach of an employee’s data, loss of revenue, forensic investigation costs, and public relations expenses.
However, your professional indemnity policy may cover legal defence costs, punitive fines and penalties, and court attendance costs.
4. Management liability (including directors and officers)
As with professional indemnity, management liability insurance may offer some cover for cyber attacks. The nature of the cover available will depend on the specific policy wording, extensions, definitions and exclusions. Some management liability policies will exclude cyber crime, while other policies offer the option to add cyber cover as an extension.
Management liability cover will generally relate to third-party losses and may be subject to specific exclusions and sub-limits. Again, this type of insurance may only offer limited cover for first-party losses.
Once you have a comprehensive picture of the cover available under your existing insurance policies, you’ll be in a better position to purchase the type of cyber liability insurance that best suits your organisation’s risk profile and needs. The following are additional points to consider when topping up your existing cover or purchasing additional cover.
1. Identify your real unique risks
The first step in purchasing cyber liability insurance is understanding the nature and extent of the risks facing your organisation. Every organisation has a different risk profile based on the information that it manages and stores. For many banks and retailers, the primary concern is the loss of bank account details and personal identifiable information. In contrast, a utility or energy organisation might face the risk of disruption of critical business or physical operations through attacks on networks. It is very important for organisations to tailor their cyber liability coverage to the most likely risks they face.
2. Purchase what you need
It is possible to design a policy and cover to suit your risk profile, and that only covers you for the items you need. If an insurer is not willing to remove an objectionable exclusion or limitation from its policy, obtain quotes from an insurance carrier that will offer the coverage without the limitation.
3. Secure appropriate limits and sub-limits
Compare the anticipated costs associated with a data breach (or security event) with the policy’s liability limit options and the related costs. The costs of responding to a data breach can be substantial. Estimates vary, but in 2014 the average cost of a breach was $2.8 million overall, which translated to a cost per lost electronic record was of $145.
Most cyber liability insurance policies impose sub-limits on some cover, such as for crisis management expenses, notification costs and regulatory investigations. These sub-limits are often inadequate, but many insurers are willing to negotiate the size of the sub-limit, often without increasing the premium.
4. Beware of exclusions
Often, cover for a loss or claim depends on the policy exclusion wording as opposed to the wording in the grant of cover. As cyber liability insurance is a relatively new product, the policy wording is not standardised. Check that your policy does not contain irrelevant exclusions taken from other types of insurance forms.
5. Get retroactive coverage
Cyber liability policies sometimes restrict coverage to breaches or losses that occur after a specific date, such as the inception date of the policy. This means that there would be no coverage for breaches that occurred before the start of the policy. As breaches may go undetected for some period of time, it is important to purchase coverage with the earliest possible retroactive date.
6. Consider coverage for acts and omissions by third parties
Many organisations outsource data processing or storage to a third-party vendor. It is important that your cyber liability insurance policy provides cover for claims arising from misconduct by one of your vendors.
Cyber Plus provides “Cyber Liability Insurance by Design”
Phone: 1300 886 033