This reply to my blog, Should I buy cyber insurance? is written by David McNeil, principal, of EPIC Insurance Brokers & Agents. He brings 20+ years of professional industry experience to the topic on cyber insurance. Some of Alvaka Networks' clients have been utilizing Dave's services for many years.
Always enjoy your insights and thoughts on Tech-related subjects. Lately, the plethora of headlines regarding cyber-related issues has meant the interest in cyber-insurance has reached a new level. This is a huge topic and this comment can only scratch the surface.
That said, a bit of an insider-view may be helpful…
Currently, cyber-insurance coverage forms are NOT standard (ISO) forms. As a result, insurance carriers forms differ greatly. Many parts, definitions, limits and coverage triggers are negotiable.
Definition negotiations are critical. It is important to know what to look for and how to modify a particular carriers form to best suit the needs of a specific client/insured.
EXAMPLE: Trigger for Notification of a Breach - (A hypothetical…. Sort of)
A hospital has a backup of patient information data. It is being transported to an offsite storage facility. The driver stops for lunch en route. The car is stolen from the restaurant parking lot.
Do we have a breach? Will the insurance company pay for notification costs to the patients whose data is now in the wind?
Most policies will say that the notification cost will be covered to $X limit when the insured becomes “Legally Liable”. That means when specific law requires notification.
However, in our example, after about 10-days of discussion, the hospital decided that the right thing to do was to notify the patients. The cost was approximately $250,000 directly from their bottom line.
However, a negotiation for a “Voluntary Notification” would have meant that the insurance company would have paid. (less a much smaller deductible or self-insured retention=SIR)
Likewise, in the quote provided in your blog, the sublimit for Phishing could also be negotiated. These items may have little or no cost effect on the overall quote. BUT, if you don’t ask….or don’t know to ask….these small changes can ultimately mean a large difference to the client/insured.
Just some summary points:
Limits of Liability
Set limits that will help your company to survive. You may not be able to buy enough insurance to completely insulate you from paying on a large loss. But, it can help you to live to fight another day. Estimates vary by quite a bit, depending on what is included in the calculation. But, a good working number is $200/record that is at risk…..you do the math. This is a discussion to have that includes your broker and your CFO. They can help you balance your tolerance of risk, with what you can afford in premium and/or deductibles.
Take the Best and Leave the Rest
Focus on the main risks and see what you really need of the coverages being offered. Maybe you can save a little money if you are willing to get a more stripped-down basic policy.
READ the Exclusions
As an example, some policies exclude coverage for liability arising from a breach of contract. Many insurers are willing to modify this and/or other exclusions...but you have to ask. They don’t offer it up for you as an option.
Negotiate this date as far back in time as possible. No date is the best. If you don’t, it means there may be no coverage provided for claims made due to breaches that occurred before the policy period. You may have a breach and not know it currently. But if/when you find out, you don’t want to give the carrier any wiggle-room to say that it was before the policy incepted, so they won’t pay.
Best is a “duty to defend” statement. This means that the insurance carrier will begin paying the legal bills right away on your behalf. Otherwise, you may end up fronting part/all of the legal costs until the case is finalized...and THEN you submit for reimbursement. This is not the way to go if it can be avoided.
Your coverage and vendor indemnity agreements should complement each other so you can maximize your recovery from both. Be sure that the SIR or Deductible clauses don’t bar you from collecting from the Cyber policy.
Partial Subrogation Waiver
This waiver will verify that the insurer won’t say that their subrogation rights have been lessened/impaired by any contract you have with a data vendor before a loss occurs.
Panel and Consent Provisions
As part of your Cyber-response plan, if there are specific vendors you’d like to use for Forensics, PR, etc. be sure to negotiate that into the policy. You can submit them for approval. Otherwise, you’ll be using the panel the insurer provides. That may be OK...but, you should make this decision from a place of knowledge, not default.
Be sure that it is clear that you have coverage from any vendors, subcontractors vicarious liability.
Cyber with Other Insurance
Generally stated, you may want to contractually require your vendors to have a Cyber policy to act as the primary coverage and name you as an additionally insured.
Alright, enough for now. THANK YOU again for focusing on Cyber-insurance.
David J. McNeil, ARM
EPIC Insurance Brokers & Agents