We've asked lots of questions to an esteemed panel of professionals in the Cyber Insurance Sector and we got all kinds of wonderful answers. I literally wish that my auto insurance worked like Cyber Insurance! But, where do we go from here? Paul Ferillo, Partner, at McDermott, Will, & Emery answers the questions on everyone's mind and provides a detailed look on The Basics and Essentials of Cyber Security Insurance.

By Paul Ferrillo

Given my insurance background, and given my profession as a lawyer skilled in handling large cyber incidents and large cyber and privacy litigation, I often get involved with helping clients obtain and manage cyber security insurance for corporations and businesses.  

I was lucky enough recently to be asked to participate in a recent Webinar on cyber security insurance organized by Wizer entitled: Is Cyber Insurance Worth It?  The panel was excellent and the content was very detailed and helpful. Since cyber security insurance always engenders questions, there was a great deal of interest by the audience in learning more.  This short memo hopefully answers a lot of those questions ( though the panel was both US, EU and UK based, I am not.  So I can only answer the questions from a US perspective).

What is standalone cyber security insurance and what does it cover?

Standalone cyber security insurance is a broad form policy that generally cover cyber breaches and attacks, including ransomware attacks, along with privacy and cyber security litigation and investigations.  It has two components, first party coverage (to “investigate,” “remediate,” and “clean up the breach” and get you up and running), and third party coverage for the investigations and litigations that unfortunately go along with a large cyber security breach. 

Costs could involve both legal costs, and forensic consulting costs for a provider brought it to deal with a breach.  There is business interruption coverage for network downtime.  There is reimbursement coverage if you suffer a ransomware attack and need to pay the ransom to get “out of jail.”  These coverage parts all work together, and often one big breach can invoke multiple coverage parts.  Most cyber security insurance provides reputational and crisis management coverage that can help large and mid-sized businesses deal with the fallout from cyber attacks from customers, clients, and investors, especially if its ransomware related, see e.g. https://www.chubb.com/us-en/business-insurance/cyber-products.aspx, and  https://www.aig.com/content/dam/aig/america-canada/us/documents/business/cyber/cyberedge-wording-sample-specimen-form.pdf. for two examples of the laundry list of cyber security insurance coverages you can purchase. 

Policies are purchased with “limits of liability” so that coverage can be tailored to the specific business.  Many times policies have sub-limits for particular areas of coverage (like first party coverage).  Policies can range from very small, to very large (with cyber security insurance towers running into the hundreds of millions for very large public companies). 

Unless you specifically purchase additional coverage,   See e.g https://www.aig.com/content/dam/aig/america-canada/us/documents/business/cyber/cyberedge-plus.pdf.,  https://www.aig.com/content/dam/aig/america-canada/us/documents/business/cyber/cyberedge-pc.pdf.,   standalone cyber security insurance generally does not cover personal injury insurance and property damage claims arising out of a cyber security.  Thus depending upon your business, you could need two types of cyber security insurance to be fully covered for “all risks.”

How do I get it? How much do they cost?

Standalone cybersecurity insurance is obtained through an insurance broker and by filling out an application for coverage.  Very often the carrier involved will also want a cyber diligence call with your organizations CIO or CISO.  As far of as underwriting standards go, carriers vary, though many will accept your work to fulfill  the NIST cyber security framework (ver. 1.1), see e.g. https://www.nist.gov/cyberframework.  Carriers are not there to provide you with technical support (like what version of MSOFT Windows you should be running), but they do have pre-breach cyber security services which they provide to their insureds.  See e.g. https://www.aig.com/content/dam/aig/america-canada/us/documents/business/cyber/cyber-loss-control-services-all.pdf 

Each Carrier will have a multi-page application for what it considers to be normal elements of a healthy and secure network and might (per industry) have specialized questions that fit the specific business vertical they are underwriting.  For the most part, the carrier’s underwriters (the people who issue the policies) are very skilled and experienced.  Many underwriters have cyber or computer backgrounds. Cyber is an important part of many carrier insurance offerings and those involved take it very seriously. 

The cost of a policy is based upon the limit of liability sought to be purchased along with the risk perceived by the insurance underwriter. There is generally no set formula nor “standard” premium. It's risk controls for the most part.

For those thinking about purchasing coverage, some wise advice is to have a methodology that ensures your business and network are prepared and remains prepared to deal with any cyber eventuality.  That would include network preparedness (e.g. update to date firewalls and intrusion detection solutions), a fully trained and operational “patching” policy (to address matters that are identified by US CERT and others during Patch Tuesday), employee training and preparedness along with having the basic policies in place like an incident response plan, business continuity plan, and a crisis communications plan.  A functional and well thought out business continuity plan (with a “back up” policy supporting it) and a well thought out cyber supply chain risk identification and management policy are two big areas today of examination given the ransomware plague in the US.  Having a recent vulnerability assessment would be most appreciated by the carrier involved.  If you are in a regulated business (like a registered SEC investment advisor), a description of your regulated entity compliance methodology would also be helpful materials for you to have available.  

As the old expression goes, “How do you get to Carnegie Hall? Practice, Practice, Practice.”  The same things generally hold true in the cyber security world and the cyber security insurance world too.  The more preparation you do before the underwriting process, the more it will show that you have cyber risk “under control.”

We hope this answers a lot of questions that you might have thought of during the webinar.  If there are any questions, please feel free to reach out to any of the panelists, or to me at pferrillo@mwe.com

To see the recorded webinar, visit Wizer's On Demand Webinars page here.

 

Paul Ferrillo
Written by Paul Ferrillo

Cyber “first responder” and crisis specialist, with regulatory Cyber experience; Board of Directors governance advisor and securities litigator. Adjunct Professor: Florida State University College of Law; Lecturer: Harvard Law School. Author: best-selling primer, "Navigating the Cybersecurity Storm: A Guide for Directors and Officers" and updated 2017 primer, "Take Back Control of Your Cyberecurity Now." Board of Faculty Advisors and Lecturers, Boston College, Master in Science in Cybersecurity Policy and Governance. Specialties: federal securities law, directors and officers issues relating to corporate advancement, indemnification and D&O liability insurance law (with heavy focus on M&A litigation, restructuring and bankruptcy related issues), cybersecurity law and regulation, and privacy law and regulation. Director: Infraguard, N.Y. Chapter; Stemgarden Institute (promoting STEM education)