Analyzing Gaps in Cyber Risk Coverage
The basic tenet of the risk management profession is reducing, eliminating or transferring risks that could impact an organization’s bottom line, brand and reputation. A part of that process involves identifying gaps in coverage in your organization’s portfolio of insurance.
Gap analysis of traditional lines is somewhat tangible. We are accustomed, dependent upon our industry sector, to being the experts in identifying and managing those risks. Routinely, risk managers employ some form of coverage analysis with the help of their broker(s) as a tool to plug the gap.
The challenge we face is achieving a state of continuous improvement and being prepared with contingencies as risks change and emerge. Ultimately, the risk management portfolio should not only be scalable, but have the flexibility to respond in the world of changing risks.
In today’s world, a major cyber event can take the form of a tangible loss as well as a financial loss.
Today, we see the cyber liability space maturing from an insurable risk standpoint. Underwriters and brokers are offering new, innovative products and have a professional skill-set that ensures underwriting integrity and improved risk control. Likewise, many companies have risen to the challenge to protect their assets and mitigate the cyber exposure in depth and breadth.
From the risk management point of view, business continuity coverage and potential third-party liability coverage gets murky in certain cyber losses. There are endless contingencies, particularly in a dreaded Black Swan scenario.
The importance of table-top exercises attended by the C-suite, CISO, information security, operations, HR, public relations, risk management and external counsel is paramount. You don’t want to find out your crisis management plan doesn’t work during a crisis.
Equally important is determining the interplay of coverage in your cyber, property and umbrella/excess programs. Leverage your broker resources to perform a gap analysis on the interplay between your property, cyber and umbrella programs. The goal is to understand how coverage applies and identifies potential gaps in the event of a cyber loss.
In today’s world, a major cyber event can take the form of a tangible loss as well as a financial loss. It’s possible that a cyber event can result in not only loss of data but also first- and third-party property damage and bodily injuries.
Taken further, a property loss involving business interruption can complicate how your program will respond as you work through getting your operations back up and running. A side-by-side exercise using multiple breach scenarios will help the risk manager understand how the policies work and importantly identify gaps and overlap in coverage.
Some key areas of interplay of coverage are physical damage to tangible assets and data restoration costs, business interruption and contingent business interruption.
You should understand how the waiting period applies between programs, how business interruption is calculated and what costs are covered to restore or recreate lost data among other things. Playing out these scenarios help to reduce the uncertainty of how policies respond, and how the loss impacts your bottom line before the crisis strikes.
Be prepared, understand the interplay between programs and work with your broker partners to fill the gaps in coverage.