Tips for Buying Corporate Cyber Insurance

By Amy Stewart Law

In 2016, following cyber breaches dominating the headlines for more than a year (e.g., Target, Sony), experts said there are two types of businesses in the world –  those who know they have been hacked, and those who have not yet discovered the breach. As a result, more businesses are researching and obtaining cyber insurance to alleviate the risk of an attack on their computer systems. When shopping for cyber insurance, keep the following in mind:

1. Policies are not standardized. The terms vary widely – from insurer to insurer and from policy to policy. The bad news = buyer beware. The good news = there’s room for negotiation, especially for large insureds. Compare the policy forms carefully. Look at the policy language specifically, not just the marketing hype.
2. Beware of exclusions that effectively shift the risk back to the insured – to follow certain protocols, policies, procedures, etc. CNA just sued an insured to avoid coverage because the insured did not do all of the things it said it does in its application.
3. Look for fines + penalties coverage. It’s widely available in the cyber market. If the policy defines “Loss” to exclude fines and penalties, ask for the coverage.
4. Negotiate for specific vendors on the front-end. If you want to use a particular breach coach or notification company, ask the insurer for approval when you buy the policy. Otherwise, expect to be limited to the vendors the insurance company has pre-selected to include on an approved panel.
5. Pay attention to sub-limits (a lower limit applicable to certain covered costs) – notification costs, for example, may be subject to a dollar amount sub-limit, to a number of records, or to a number of notification recipients. For example, a policy with a $10M limit of liability may have a $5M sub-limit for notification expenses, which means the insurer will pay notification expenses only up to $5M.

As corporate America tries to stay ahead of cyber exposures, the insurance industry is scrambling to create sustainable but cost-effective solutions to meet the risk-transfer demand. As the market evolves, businesses need to understand both their risks and the scope of the insurance policies they are considering. We help businesses review, understand, and negotiate policy language to obtain the most coverage for the premium dollars spent. If you need assistance with your cyber policy purchase or renewal, please contact us.