4 Cyber Insurance Myths That Are Putting Your Business at Risk
Be honest: Do you know what your cyber policy actually covers?
“There still seems to be a lot of mysteriousness around cyber insurance policies, especially from the perspective of technologists and security specialists,” said Nick Graf, Assistant Vice President of Information Security, Risk Control, CNA. “Many of them are unsure if these policies ever actually pay out.”
The rapid evolution of cyber coverage and the lack of a standard industry-wide form has left plenty of room for variation from policy to policy. Combined with the constant emergence of new cyber risks, nuances in policy language create confusion over exactly what’s covered and what’s not.
Underwriters with true expertise in information technology and security, however, can demystify and debunk common myths risk managers believe about their cyber insurance:
Myth #1: Cyber insurance covers every loss related to the use of a computer.
“Calling it ‘cyber insurance’ is a little bit of a misnomer,” said Brian Robb, Underwriting Director, Cyber Industry Leader, CNA. “Just because a computer is involved doesn’t mean it’s going to trigger a cyber policy.”
Organizations get into trouble when they assume that their cyber policy will also respond to losses from social engineering schemes, business interruption, reputational harm, or property damage resulting from a network breach.
“Some of these secondary coverages may be tacked on as endorsements, but they are not as significant or as necessary as privacy liability or incident response coverages, which are the core parts of a cyber policy,” Graf said. “They certainly do not come standard.”
Traditional cyber coverages include first-party breach response including forensic investigation, notification and credit monitoring, and third-party protections for lawsuits arising either out of a breach that violated privacy laws, or a network failure that disrupted services for customers.
“The vast majority of your claims will fall into one of these three buckets,” Robb said. “These coverages are consistent in almost every standalone cyber policy on the market.”
Fact: Cyber insurance is only designed to cover network security and privacy liability.
Myth #2: Terms and conditions are consistent across all basic standalone cyber policies.
Although the traditional cyber market has matured to the point where first- and third-party coverages have grown fairly consistent, there is still no standard form used by all carriers. This means policy wording, terms and conditions and exclusions can — and do — vary from one insurer to the next.
In fact, policy differentiation is often how carriers seek to find their own niche in a crowded market.
“A recent cyber market update by Aon Benfield, ‘2017 US Cyber Insurance Profits and Performance,’ stated there were 170 U.S. insurers writing policies and collecting premium on cyber,” Robb said. “In some cases, there are E&O or crime underwriters writing a cyber form just to try and get in the game, and these new entrants are often the ones offering secondary coverages that look attractive to buyers.”
If brokers and insureds are drawn in by “bonus” coverage for reputation damage or contingent business interruption, for example, they risk overlooking the strength of the core cyber coverages and of the claims team backing them up. Graf and Robb say a lack of education in the marketplace means risk managers don’t necessarily know what to look for when it comes to these core components.
Fact: Variance among policy language means risk managers need a thorough review of coverage with their brokers to fully understand what they’re buying.
Myth #3: My cyber and other P/C policies together will protect me from emerging risks.
Cyber exposures increasingly intermingle with other categories of risk, including property and fidelity. More automation in manufacturing, for example, creates more opportunities for system failures. Machinery malfunction could lead to property damage, bodily injury, or product defects.
“It’s possible that either through deliberate hacking or a coding mistake that a machine stops operating the way it’s supposed to,” Graf said. “But when the damage incurred is physical rather than related to intangible data, it’s often not covered under a cyber policy.”
Some carriers are also moving to specifically exclude coverage for physical damage losses from a cyber event in their property policies. The same goes for theft of funds perpetrated via a social engineering scam.
“A cyber policy likely won’t cover a fraudulent transfer when no one actually infiltrated your network. And because the funds were willingly sent, a crime policy often will not pick up that loss either, even though the employee was tricked,” Robb said.
Fact: Tangible losses resulting from a network security issue or phishing may not be covered under cyber, property or crime policy.
Myth #4: It doesn’t matter which carrier I buy my policy from.
“I see a lot of insureds making decisions mostly based on cost,” Graf said. “Comparing two cyber policies is like comparing apples to oranges because the types of coverages included in the policies, how broadly things are defined, the exclusions — they can vary greatly.”
The cost of a policy also does not reflect the strength of a carrier’s claims team or their risk mitigation services. A less expensive policy from a new entrant in the market may not come with a dedicated claims staff, which means claims and breach response are handled more slowly.
Established carriers also bring with them their relationships with loss prevention vendors, like security, PR, and forensics firms.
“A handful of us have been doing this for quite some time and have fully staffed teams and fully vetted panels,” Robb said. That enables a fast claims response and a much better customer service experience.”
Fact: Vetted risk control services and a dedicated claims team are just as important as a policy itself.
Expertise Matters in a Changing Market
In the ever-evolving work of cyber risk and insurance, partnering with experts is critical to be as prepared as possible when a loss eventually occurs
Within their Risk Control group, CNA has 11 Certified Information Privacy Technologists, many of whom hold other certifications through the International Association of Privacy Professionals. Graf himself comes with 15 years of experience including ethical hacking and penetration testing.
“They are there working day-in, day-out with the underwriting teams, and I occasionally work with our claims team when they have a complicated claim that comes in,” Graf said. “This way we all understand what actually happened.”
A dedicated 10-person claims staff also works on cyber claims, all of them former attorneys, and many of them with more than 10 years of experience.
“We’ve been in the cyber market since the beginning, and we’re not going anywhere,” Robb said. “We’ve committed the time and resources to remain a leader in this space and provide a best-in-class cyber offering.”
To learn more, visit cna.com/cyber.
This article was produced by the R&I Brand Studio, a unit of the advertising department of Risk & Insurance, in collaboration with CNA. The editorial staff of Risk & Insurance had no role in its preparation.