Written by Heidi Lawson, CPCU and Danny Harary
“Cyber liability insurance” is often used to describe a range of insurance policies, in the same way that the word cyber is used to describe a broad range of information security related tools, processes and services. Everyone is talking about the need for “stand alone” cyber liability insurance policies. These stand-alone cyber liability insurance policies basically cover expenses related to the management of a breach, e.g., the investigation, remediation, notification and credit checking. However, cyber liability coverage is also found in some existing insurance policies, including kidnap and ransom and professional liability coverage. There may also be some limited coverage through a crime policy if electronic theft is added to that policy.
Despite the fact that there are many kinds of insurance policies available that arguably cover various “parts” of cyber risk, the parts that are not covered are significant. The problem is, very few insurance professionals really understand cyber risk or cyber liability insurance. This means that companies that are buying “stand alone” cyber liability coverage are often presented with the wrong information about the scope of coverage provided in a particular policy. I recently worked with a client who was told by the insurance underwriter that their stand-alone cyber policy covered theft of money and securities. This was not true. Coverage was limited to the theft of personal identifiable information and money and securities was specifically excluded. Last month I was at a roundtable discussion with a group of directors when a broker suggested that a stand-alone cyber liability policy would cover the board of directors in the event there was a derivative suit. Again, this isn’t true.
What does this mean for a board of directors or a company that is worried about their cyber exposure? First of all, they should understand that “stand alone” cyber liability insurance policies provide important but limited coverage. What it means is that a stand-alone cyber coverage isn’t a silver bullet that solves cyber risk. Like Clara, they need to be asking “where’s the beef?”
Cyber liability is a very complex risk that doesn’t neatly fall into any one insurance policy, and there are shortfalls in coverage everywhere. When a board of directors is faced with a derivative suit for failure to oversee the protection of customer information, there is a risk that their directors & officers insurance coverage will not cover the lawsuit because there is a standard privacy exclusion in all directors and officers insurance policies that is often overly broad. Even if a separate cyber liability policy was purchased, that separate “stand alone” cyber liability insurance policy will not cover the board of directors, because a stand-alone cyber policy doesn’t cover derivative suits. So, where does that leave the board of directors? Exposed. Similarly, while the separate “stand alone” cyber liability insurance policies cover privacy breaches, those breaches typically must be the theft of “personally identifiable information”. However, what about the theft of a hedge fund’s trading information? Uncovered.
So, what should a board of directors or company do that is worried about insuring for cyber risk? Ask detailed questions about what is covered and can be covered. Where is the beef? Ask that question more than once. Read all your insurance policies and ask exactly where the policy provision is that covers a particular risk. Take the time to understand where the gaps in coverage are and, to the extent possible, work to close those gaps in protection. Also, keep in mind that insurance is only one tool to help you manage risk, but isn’t the sole answer.