Sponsored Content by CNA

4 Cyber Insurance Myths That Are Putting Your Business at Risk

Lack of education, emerging risks, and inconsistent policy language sow confusion in the cyber market. Two experts debunk common but dangerous myths.
By: | September 19, 2018 • 6 min read

Be honest: Do you know what your cyber policy actually covers?

“There still seems to be a lot of mysteriousness around cyber insurance policies, especially from the perspective of technologists and security specialists,” said Nick Graf, Assistant Vice President of Information Security, Risk Control, CNA. “Many of them are unsure if these policies ever actually pay out.”

The rapid evolution of cyber coverage and the lack of a standard industry-wide form has left plenty of room for variation from policy to policy. Combined with the constant emergence of new cyber risks, nuances in policy language create confusion over exactly what’s covered and what’s not.

Underwriters with true expertise in information technology and security, however, can demystify and debunk common myths risk managers believe about their cyber insurance:

Myth #1: Cyber insurance covers every loss related to the use of a computer.

Nick Graf, Assistant Vice President of Information Security, Risk Control, CNA.

“Calling it ‘cyber insurance’ is a little bit of a misnomer,” said Brian Robb, Underwriting Director, Cyber Industry Leader, CNA. “Just because a computer is involved doesn’t mean it’s going to trigger a cyber policy.”

Organizations get into trouble when they assume that their cyber policy will also respond to losses from social engineering schemes, business interruption, reputational harm, or property damage resulting from a network breach.

“Some of these secondary coverages may be tacked on as endorsements, but they are not as significant or as necessary as privacy liability or incident response coverages, which are the core parts of a cyber policy,” Graf said. “They certainly do not come standard.”

Traditional cyber coverages include first-party breach response including forensic investigation, notification and credit monitoring, and third-party protections for lawsuits arising either out of a breach that violated privacy laws, or a network failure that disrupted services for customers.

“The vast majority of your claims will fall into one of these three buckets,” Robb said. “These coverages are consistent in almost every standalone cyber policy on the market.”

Fact: Cyber insurance is only designed to cover network security and privacy liability.

Myth #2: Terms and conditions are consistent across all basic standalone cyber policies.

Although the traditional cyber market has matured to the point where first- and third-party coverages have grown fairly consistent, there is still no standard form used by all carriers. This means policy wording, terms and conditions and exclusions can — and do — vary from one insurer to the next.

In fact, policy differentiation is often how carriers seek to find their own niche in a crowded market.

“A recent cyber market update by Aon Benfield, ‘2017 US Cyber Insurance Profits and Performance,’ stated there were 170 U.S. insurers writing policies and collecting premium on cyber,” Robb said. “In some cases, there are E&O or crime underwriters writing a cyber form just to try and get in the game, and these new entrants are often the ones offering secondary coverages that look attractive to buyers.”

If brokers and insureds are drawn in by “bonus” coverage for reputation damage or contingent business interruption, for example, they risk overlooking the strength of the core cyber coverages and of the claims team backing them up. Graf and Robb say a lack of education in the marketplace means risk managers don’t necessarily know what to look for when it comes to these core components.

Fact: Variance among policy language means risk managers need a thorough review of coverage with their brokers to fully understand what they’re buying.

Myth #3: My cyber and other P/C policies together will protect me from emerging risks.

Brian Robb, Underwriting Director, Cyber Industry Leader, CNA

Cyber exposures increasingly intermingle with other categories of risk, including property and fidelity. More automation in manufacturing, for example, creates more opportunities for system failures. Machinery malfunction could lead to property damage, bodily injury, or product defects.

“It’s possible that either through deliberate hacking or a coding mistake that a machine stops operating the way it’s supposed to,” Graf said. “But when the damage incurred is physical rather than related to intangible data, it’s often not covered under a cyber policy.”

Some carriers are also moving to specifically exclude coverage for physical damage losses from a cyber event in their property policies. The same goes for theft of funds perpetrated via a social engineering scam.

“A cyber policy likely won’t cover a fraudulent transfer when no one actually infiltrated your network. And because the funds were willingly sent, a crime policy often will not pick up that loss either, even though the employee was tricked,” Robb said.

Fact: Tangible losses resulting from a network security issue or phishing may not be covered under cyber, property or crime policy.

Myth #4: It doesn’t matter which carrier I buy my policy from.

“I see a lot of insureds making decisions mostly based on cost,” Graf said. “Comparing two cyber policies is like comparing apples to oranges because the types of coverages included in the policies, how broadly things are defined, the exclusions — they can vary greatly.”

The cost of a policy also does not reflect the strength of a carrier’s claims team or their risk mitigation services. A less expensive policy from a new entrant in the market may not come with a dedicated claims staff, which means claims and breach response are handled more slowly.

Established carriers also bring with them their relationships with loss prevention vendors, like security, PR, and forensics firms.

“A handful of us have been doing this for quite some time and have fully staffed teams and fully vetted panels,” Robb said. That enables a fast claims response and a much better customer service experience.”

Fact: Vetted risk control services and a dedicated claims team are just as important as a policy itself.

Expertise Matters in a Changing Market

In the ever-evolving work of cyber risk and insurance, partnering with experts is critical to be as prepared as possible when a loss eventually occurs

Within their Risk Control group, CNA has 11 Certified Information Privacy Technologists, many of whom hold other certifications through the International Association of Privacy Professionals. Graf himself comes with 15 years of experience including ethical hacking and penetration testing.

“They are there working day-in, day-out with the underwriting teams, and I occasionally work with our claims team when they have a complicated claim that comes in,” Graf said. “This way we all understand what actually happened.”

A dedicated 10-person claims staff also works on cyber claims, all of them former attorneys, and many of them with more than 10 years of experience.

“We’ve been in the cyber market since the beginning, and we’re not going anywhere,” Robb said. “We’ve committed the time and resources to remain a leader in this space and provide a best-in-class cyber offering.”

To learn more, visit cna.com/cyber.



This article was produced by the R&I Brand Studio, a unit of the advertising department of Risk & Insurance, in collaboration with CNA. The editorial staff of Risk & Insurance had no role in its preparation.

Serving business and professionals since 1897, CNA is the commercial insurance carrier of choice for more than 1 million businesses and professionals worldwide.

4 Companies That Rocked It by Treating Injured Workers as Equals; Not Adversaries

The 2018 Teddy Award winners built their programs around people, not claims, and offer proof that a worker-centric approach is a smarter way to operate.
By: | October 30, 2018 • 3 min read

Across the workers’ compensation industry, the concept of a worker advocacy model has been around for a while, but has only seen notable adoption in recent years.

Even among those not adopting a formal advocacy approach, mindsets are shifting. Formerly claims-centric programs are becoming worker-centric and it’s a win all around: better outcomes; greater productivity; safer, healthier employees and a stronger bottom line.


That’s what you’ll see in this month’s issue of Risk & Insurance® when you read the profiles of the four recipients of the 2018 Theodore Roosevelt Workers’ Compensation and Disability Management Award, sponsored by PMA Companies. These four programs put workers front and center in everything they do.

“We were focused on building up a program with an eye on our partner experience. Cost was at the bottom of the list. Doing a better job by our partners was at the top,” said Steve Legg, director of risk management for Starbucks.

Starbucks put claims reporting in the hands of its partners, an exemplary act of trust. The coffee company also put itself in workers’ shoes to identify and remove points of friction.

That led to a call center run by Starbucks’ TPA and a dedicated telephonic case management team so that partners can speak to a live person without the frustration of ‘phone tag’ and unanswered questions.

“We were focused on building up a program with an eye on our partner experience. Cost was at the bottom of the list. Doing a better job by our partners was at the top.” — Steve Legg, director of risk management, Starbucks

Starbucks also implemented direct deposit for lost-time pay, eliminating stressful wait times for injured partners, and allowing them to focus on healing.

For Starbucks, as for all of the 2018 Teddy Award winners, the approach is netting measurable results. With higher partner satisfaction, it has seen a 50 percent decrease in litigation.

Teddy winner Main Line Health (MLH) adopted worker advocacy in a way that goes far beyond claims.

Employees who identify and report safety hazards can take credit for their actions by sending out a formal “Employee Safety Message” to nearly 11,000 mailboxes across the organization.

“The recognition is pretty cool,” said Steve Besack, system director, claims management and workers’ compensation for the health system.

MLH also takes a non-adversarial approach to workers with repeat injuries, seeing them as a resource for identifying areas of improvement.

“When you look at ‘repeat offenders’ in an unconventional way, they’re a great asset to the program, not a liability,” said Mike Miller, manager, workers’ compensation and employee safety for MLH.

Teddy winner Monmouth County, N.J. utilizes high-tech motion capture technology to reduce the chance of placing new hires in jobs that are likely to hurt them.

Monmouth County also adopted numerous wellness initiatives that help workers manage their weight and improve their wellbeing overall.

“You should see the looks on their faces when their cholesterol is down, they’ve lost weight and their blood sugar is better. We’ve had people lose 30 and 40 pounds,” said William McGuane, the county’s manager of benefits and workers’ compensation.


Do these sound like minor program elements? The math says otherwise: Claims severity has plunged from $5.5 million in 2009 to $1.3 million in 2017.

At the University of Pennsylvania, putting workers first means getting out from behind the desk and finding out what each one of them is tasked with, day in, day out — and looking for ways to make each of those tasks safer.

Regular observations across the sprawling campus have resulted in a phenomenal number of process and equipment changes that seem simple on their own, but in combination have created a substantially safer, healthier campus and improved employee morale.

UPenn’s workers’ comp costs, in the seven-digit figures in 2009, have been virtually cut in half.

Risk & Insurance® is proud to honor the work of these four organizations. We hope their stories inspire other organizations to be true partners with the employees they depend on. &

Michelle Kerr is associate editor of Risk & Insurance. She can be reached at [email protected]