NOTE: Brian Brown is a guest author for INSUREtrust. He is an expert in cyber liability coverage, and has held a number of senior positions in the insurance industry for over a decade. He may be contacted by email at [email protected] or by phone at 404-849-3004.
In Brian’s next article, Part 2, he will explain how to complete a cyber liability insurance application.
We can probably all agree that completing a cyber insurance application is an arduous task. This article will make the undertaking easier, whether you’re an agent or broker, or even the one seeking to be insured. The information here will also assist in assuring the most favorable outcome once the application is submitted to an underwriter.
Why so difficult? In many cases, it takes a village.
Cyber (more clearly stated as Network Security and Privacy) applications are particularly challenging since the coverage touches so many aspects of an enterprise and therefore requires multiple individuals to complete various sections:
- Risk Manager/Financial Officer – General information, limits and retention options.
- Information Technology (IT) – Technical safeguards to the network such as firewalls, intrusion detection, back up procedures, patch management and encryption of data.
- Privacy Officer (May be IT also) – Encryption of data on mobile devices, procedures with regard to paper files with confidential information, and policies and procedures with regard to privacy training.
- Marketing – Most cyber policies offer an option for website media, so there are questions about content acquisition and clearance.
- General Counsel – Networks typically use third party providers for some of the functionality needed such as data backup, hosting or security. There are contracts with these providers.
- Human Resources (HR) – HR may be responsible for disaster recovery or incident response.
It is no wonder, then, that many cyber applications come back incomplete or with contradictory information.
Why IT specialists do a great job, but may not be the best to complete an application.
In many instances, much of the application is completed by the IT department. This poses two potential drawbacks. First, in some cases, the purchase of insurance is seen by the IT department as insurance against a failure on their part. This is just not true. Consider, for example, that property insurance is purchased on highly engineered buildings which are made of fire resistant materials and have a specifically designed, active sprinkler system. Yet, even with these precautions they still have fires and insurance is purchased.
The paradigms are similar. Also, the coverage offered by insurers now extends well beyond the network into areas of privacy which are outside the scope of IT and involve human beings. For instance, one of the most prevalent exposures to loss is an employee misplacing a laptop with confidential information.
Second, IT personnel are, by nature and vocation, extremely literal. They have a tendency to answer questions in the most literal sense as opposed to the answering the spirit of the question, which is what underwriters are seeking.
For instance, an information security specialist at a very large bank answered, “no” to the question, “Do you have a formal security program in place?” Having met the fellow previously I called him to ask why he answered “no” when I knew they had all the policies and procedures in place and then some. His response: “We don’t have ‘a’ formal security policy, we actually have three, one for headquarters, one for the ATM’s and one for the branches.”
In another instance, when asked if backup tapes were “always” stored offsite, the IT respondent answered “no.” Upon further investigation it was discovered that three years earlier, during a statewide blizzard, the company had been unable to ship the tapes offsite.
Pricing and underwriting a cyber policy sometimes doesn’t make sense.
Another challenge with cyber applications is endemic to the rating methodology itself. The largest share of the loss dollars paid by carriers has been to satisfy the state notification laws. These require that notification be given to individuals where their personal identifiable information (PII) may have been compromised. Therefore, the insurers should be rating off the real exposure – the amount of PII an insured maintains.
Instead, however, insurance carriers typically use revenues as a rating basis. This may or may not have a relation to the real exposure to loss. There is a tremendous difference in exposure, for instance, between a hospital and a manufacturer with the same revenue. This is analogous to rating property insurance off revenues. It makes a big difference in the property insurance if the organization leases or owns the building.
In any event, insurance underwriters are now trying to ferret out the true amount of PII maintained by the prospect and rate the account based on the real exposure. Some applications are now specifically asking this question. This is a difficult number to obtain for most organizations, but one that will go a long way to reducing the cost of cyber insurance, even if it is only an estimate.
How do you overcome obstacles in completion of a cyber application?
So how do you break past the obstacles of completing a cyber application? The easiest answer is – You don’t! With cyber coverage, it is not unusual to approach a few carriers for a ballpark figure prior to completing an application. Typically, a good, experienced underwriter can give a relatively accurate estimate of the terms, including cost based on a website review and revenue.
In this way, cyber, which in most cases may be a new coverage, can be presented in conjunction with other coverages such as the Property and Casualty or the Directors and Officers renewal proposals. The insured can then make a determination as to whether they are interested in purchasing the coverage at that estimated price without the hassle of completing an application.
The second answer as to how you overcome these obstacles relates to the pervasiveness of the problem cyber coverage addresses. Privacyrights.org or dbloss.org can be checked for past cyber losses (and great claims examples), or you can open your daily newspaper and often see a report on the most recent cyber event. It is prudent for any organization to make an informed business decision as to whether to purchase this coverage.
Even the SEC’s Division of Corporation Finance has issued guidance for the disclosure of cyber security risks and cyber incidents in SEC filings. So, although troublesome, it is now time for organizations to consider cyber coverage, which to get bindable terms, requires an application.