Cyber Risks
Seeking Clarity for Cyber Cover
It was a black-or-white question: Do you have procedures for responding to allegations of a privacy breach?
But the answer was a shade of gray for the University of Wyoming, which was applying this year for its first cyber insurance policy.
“The answer might be yes, we have procedures, but they might be different for our two medical clinics than they would be for the accounts receivable department,” said Laura Peterson, chief risk officer for the university, in Laramie, Wyo.
Similar conundrums are confronting risk managers around the country as they apply for cyber coverage. Risk managers are finding that the cyber application process is more taxing than it is for traditional insurance — especially for organizations analyzing coverage for the first time.
It’s the difference between buying a couch for the living room, and trying to install a home wireless network that syncs with computers, televisions and stereos, said John Mullen, chair of the U.S. data privacy and network security group at the law firm Lewis Brisbois. “It’s just a whole different level of complexity.”
“From our experience, many cyber applications are not designed with the typical small to middle-market firm in mind.” — Reza Khan, executive vice president of ThinkRisk Underwriting Agency
Interest in policies has spiked over the last year, prompted by high-profile data breaches, including one that has cost retailer Target Corp. nearly $150 million to date. Insurance covered about $38 million of the total, according to the company.
When cyber insurance first emerged in the late 1990s, insurers sometimes hired third-party vendors to test the network security of organizations as part of the underwriting process. They also would schedule meetings with clients to review their cyber defenses.
Today, most insurers rely on applications boiled down as much as possible to yes-or-no questions. The forms serve as a handy checklist for cyber security efforts, according to brokers and insurers, but the answers don’t come easily.
“Many customers are very uncomfortable with that binary sort of yes-no response because it’s not 100 percent ‘yes,’ and it’s not 100 percent ‘no,’ ” said Greg Gamble, a director at Crystal & Company, a brokerage in New York City. “A lot of the time that we spend with clients is helping them pick yes or no, and then how to explain the answer.”
Companies, for example, worry about how an answer looks to the insurer, Gamble said. An application might ask whether a company outsources its information security management to a qualified firm. “What if you say, ‘no’? Is that bad?” Gamble said. “Maybe you have an employee who handles it.”
Getting Cooperation
Risk managers also often have to hunt for the answers, whether from internal staff or external vendors. And colleagues in IT may perceive the application for insurance as second-guessing their efforts to protect data.
“I can understand why that would be a difficult pill to swallow,” said Anne Corona, managing director and U.S. practice leader for cyber insurance at Aon Risk Solutions. “But I think everyone understands that this isn’t a criticism, but an added level of protection, really, from a financial perspective.”
At the University of Wyoming, Peterson contacted the IT staff to lay the groundwork before she started lobbing questions. She explained that cyber coverage was not a reflection of the department’s work, but a necessary safeguard. And despite good intentions, accidents can happen, she added, just as they do in other university departments. An employee could click on the wrong link in an email, or lose a flash drive.
“We didn’t have any trouble getting them to help us complete the parts of the application that we needed their help with,” Peterson said, noting that she also needed assistance from administrators in other areas, such as finance.
One question asked for the percentage of revenue from credit card transactions, Peterson said. But revenue for a university is different than revenue for a business. Peterson put down 9 percent, and explained the sources of revenue, including state and federal funding.
Risk managers also must be alert to the ways a cyber policy could interact with their other policies and exclusions, brokers and insurers said.
“We want to give them as much information as possible,” she said.
Since their answers could come back to haunt them in a coverage dispute, risk managers and other insurance buyers need to take extra care.
“If they make a representation in an application that they have certain security measures in place and those security measures aren’t followed … or aren’t actually in place, then the insurance company could conceivably use that as a basis to avoid coverage if there is a claim,” said Brooke Yates, a partner in the litigation department at the law firm of Sherman & Howard in Denver.
Past breaches, if they’re not reported on the insurance application, also could become an issue, said Tracy Tenorio, a senior vice president and account executive at ABD, a commercial brokerage in San Mateo, Calif. Insurers bind coverage on the understanding that the client is not aware of anything that could lead to a claim, Tenorio said. Questions about that awareness are often the first place an insurer will look after a claim.
“The good thing is that the carrier will often ask the client, ‘OK, we need to talk about this because this is what I believed the risk to be; this is how you answered the question. What am I missing?’ ” she said.
Smaller companies, already worried about the perceived cost of cyber insurance, may be turned off by the application process before they even begin, said Reza Khan, executive vice president of ThinkRisk Underwriting Agency in New York City.
“From our experience, many cyber applications are not designed with the typical small to middle-market firm in mind,” Khan said.
Easier Applications
ThinkRisk recently introduced a 21-question application for a new admitted cyber/privacy product. The questions reflect the company’s concern that many firms won’t understand typical cyber jargon.
“Quite frankly, when you’re entertaining a $10 million dental practice, how much technical underwriting information do you really need to properly assess and price their exposures?” Khan asked.
Others are seeking to streamline applications as well. Allied World North America, for example, offers an application that asks for only a few questions if companies have less than 50,000 records, according to Josh Ladeau, cyber practice leader for the insurance carrier. Policies are capped at a limit of $1 million.
Companies may not fully understand how many records they actually have, Ladeau added. But Allied World is confident it has the underwriting experience to tell if a business is undercounting. “Even smaller retailers will have more than 50,000 transactions,” he said.
Once they get through the application process, risk managers still have to sort through products that can be difficult to compare.
Approaches to notification costs are among the variables. Some insurers offer an overall sublimit, while others provide limits based on the number of people being notified, said Sheri Pastor, partner and practice leader for the insurance coverage group at the law firm McCarter & English in Newark, N.J. Some carriers require the use of prescreened vendors to deal with a breach, while others allow policyholders to choose their own.
“It is not unusual for a risk management department to take a long period of time to analyze these products, and then decide which to place,” Pastor said. “Many companies can explore them for months, if not a year or more, with their renewal cycles coming and going.”
Risk managers also must be alert to the ways a cyber policy could interact with their other policies and exclusions, brokers and insurers said.
Emerging risks are another factor to consider. Content liability is overlooked in many cyber policies, for example, but could pose a threat, said Ken Goldstein, worldwide cyber security manager for Chubb Group of Insurance Cos. Businesses could face claims if a competitor believes it is being disparaged in an online ad, or a person’s image is being misappropriated.
“There’s real claims activity in this area,” Goldstein added.
At the University of Wyoming, Peterson grappled with decisions about breach-response and credit-monitoring services. Depending on the scope of a potential breach, the university might have to notify people in every state. It has 13,000 undergraduate and graduate students, as well as thousands of alumni around the country. In addition, thousands attend concerts, football games and other events at the university.
“You can listen to other people who have had breaches, but they’re all very, very different, depending on whose information was breached and what information was breached and what state is affected,” she said. “So it’s really just hard to know.”
Brokers have helped Peterson sort through the details. But, she added,
“Ultimately, it still comes down to me trying to assess what’s most likely to happen here or, even if it’s not what’s most likely, it’s where are the places where we’re going to want the most assistance, and that’s an institution-by-institution analysis.”