Cyber insurance is now a necessity for most businesses. Breaches of all sorts are an epidemic — and they can affect even the smallest of operations. But navigating the obscure language that is sometimes used to spell out these policies is a challenge even for experts in the field. Narrowly defined provisions may mean that major costs are not covered. And legal battles sometimes ensue as a result.
There are, however, steps that insured parties, their legal representatives, and insurers themselves can take to minimize misunderstanding and establish the broadest possible coverage.
Legal experts talk about how to negotiate policies, establish internal best practices, and avoid time-consuming, expensive disputes when a breach occurs.
Facilitate Internal Communication
Perhaps the most important factor in ensuring maximum payout from a cyber insurance policy in the wake of a breach is including IT staff in insurance discussions from the start. Many organizations make the mistake of assigning insurance acquisition to risk management departments and other executive staff members.
While they are of course key players, they must consult with the on-the-ground crews responsible for monitoring and safeguarding data to truly leverage these policies. When they fail to do so, more often than not they end up with patchy, boilerplate coverage and are exposed to unnecessary liability.
“I think a lot of companies look at them more as a resource and don’t think about including them as part of an insurance recovery strategy,” says Andy Moss, a partner and member of the insurance recovery group at law firm ReedSmith. “Neither of those positions really get trained to do those things. But the reality is that insurance requires them to work together. Companies should integrate them both into those processes.”
Moss often helps companies negotiate these policies and always makes sure to bring in the IT team to discuss the details.
“I’ve advocated that they be brought into the fold so they can understand how cyber insurance works,” he explains. “We want them to know what they should be looking out for, because it’s not necessarily commensurate with what they’re looking out for in their day-to-day jobs.”
“The application process for purchasing policies is incredibly complicated and time consuming,” he says. “As you can imagine, they include a lot of detailed information about system architecture, training, security, and software. IT professionals are typically the only people who can really answer those questions.”
These early discussions pave the way for a more effective response when an event does occur. When companies understand the reporting requirements of their cyber insurance policies, they can design more effective protocols that can then be enacted as their IT teams scramble to repair the damage.
Ad hoc responses compound liability. So do policies that inaccurately represent the company’s security position. There is wide variation in the cyber insurance industry on security requirements.
“A recent case involving Travelers provides a cautionary tale,” notes Peter Halprin, partner at law firm Pasich. “In that case, Travelers sued its insured to void a cyber insurance policy and to avoid covering a ransomware attack. According to Travelers, the insured misrepresented its use of multifactor authentication in its application for cyber insurance.”
Squaring the policy’s requirements with the existing protocols requires extensive discussion with the staff responsible for implementing them.
“One of the first things that often happens in a cyber claim is that the insurer may review the answers that were provided in the application to see whether there are any inconsistencies with what they’re learning through a forensic investigation of the incident, versus what was represented in the application,” Moss confides.
The IT team is essential on the backend as well. When breaches occur, most insurers require proof of loss statements. The staff most attuned to the reality of these losses can nail down exact costs and provide the documentation to support them.
“They’re usually the people that I rely on to help me draft that document in sufficient detail in order to get the best shot at getting coverage,” he says.
The Problem of Reporting Periods
Organizations would also be well-advised to establish reporting periods for security incidents with perfect clarity. Some cyber insurers offer grace periods, during which events that occur outside the parameters of the policy are still covered. If, for example, a breach occurs during the policy period but is not discovered until a month after it expires, it may still be covered if other good faith efforts to protect data can be established. Others may draw a strict line and deny coverage if the event occurs outside the reporting period.
“It’s probably one of the largest sources of insurance recovery disputes that we see,” Moss notes. “It’s a question of timing: whether something was known at a certain time, but not reported till much later.”
Discovery of loss is a term of art, he says. That is, it is not necessarily exact. What constitutes a discovery of loss? An initial indication that a system may have been compromised? Or hard evidence that data has been stolen and a bad actor is attempting to extort the company or has released sensitive information?
Ensuring that the language of the policy clearly reflects expectations of disclosure can save enormous amounts of trouble down the line.
“What we’re typically looking for is some kind of flexibility or grace period,” Moss says. “Problems typically arise when an incident happens very close to the first placement of a policy, or expiration of a policy.”
Get Your Investigations Covered
Another often-neglected aspect of cyber coverage is the cost of investigations. The scope of forensic analysis of breach events may be beyond the skillset or the bandwidth of IT staffers. Organizations may need to retain outside services to get to the bottom of what actually occurred. These investigations are typically quite costly and involve multiple service providers covering a range of issues. Policy language may establish a time during which investigations will be covered, often aligned with reporting periods.
It may also limit the vendors that may be used.
“Companies sometimes lose out on reimbursement if they do not use approved vendors,” warns Halprin. “Alternatively, companies can work with their brokers and insurers to try to get their preferred vendors, already in their incident response plans, pre-approved for incident response services.”
“There may be requirements that you get approval to hire outside vendors: forensic consultants to handle the investigation to figure out what happened and terminate the problem and assess the damage. Or attorneys from outside law firms,” Moss adds. “In many cases, the policies may not cover 100% of all the tasks that are going to need to be completed. That’s just the nature of insurance. It’s not always all-encompassing.”
He suggests getting an insurance adjuster on the phone immediately when there is any question about what will be covered. Doing so prior to retaining outside services can save enormous amounts of money, both in upfront expenditures and later litigation that may result from disagreements.
Clarify Coverage of Business Interruption
The extent of coverage for business interruption is also a major bone of contention in cyber coverage. Vaguely defined terms often result in insurers denying coverage for business losses. Specifying what exactly constitutes business loss in the policy language can obviate later conflicts when those losses actually occur.
“Most of the disputes that I see tend to be over issues regarding the amount of a business interruption loss and the appropriate period of loss from which to calculate the amount,” Halprin says.
“There can be reasonable differences of opinion as to how to quantify those losses, which can be critical in some cases, depending on the amount, and how the insurance is written,” Moss concurs.
So, too, relating the narrative of these losses in a detailed, scrupulously documented way can make all the difference. If that documentation aligns with the originally specified policy language, it will be much harder for the insurer to make an argument for denial.
“One mistake we often see is our clients not thinking about what the story is going to be and how they’re going to present it to the insurance company. Insurance professionals may have an eye out for the economic interests of their own employer, rather than the policyholder, which is not something that should be done, in my view, but it’s nonetheless a natural human trait,” Moss says.
Cross-Check Other Policy Coverage
Because cyber policies may exclude — or only narrowly include — certain types of damage, it is also necessary to coordinate them with other policies that might provide more generous coverage. Property policies, for example, may cover damage to equipment and even more serious consequences of data breaches, like fire and flood, that occur downstream of the digital damage.
Some cyber policies now offer “bricking” coverage that will cover equipment damage.
“When computer hardware, firmware, or other software gets corrupted or damaged in the attack, the reality is that it’s often cheaper to just unplug and throw it out and replace it with a new one, rather than trying to go in and fix that software,” Moss says. “And it’s also significantly less labor intensive. Insurers have generally come around and recognized that this is a benefit for the policyholder and themselves. It helps get the damage fixed quicker and costs less money.”
An arrangement of overlapping policies can prevent hemorrhaging when an attack actually occurs.
Ultimately, cyber insurance payouts are maximized for organizations that de-silo the IT team, advocate for tailored cyber policies, and document incidents in detail. These same processes can, of course, also lead to general organizational efficiency.