RIMS advises businesses on cyber insurance needs

A company’s assessment of its cyber insurance needs should begin with an assessment of the sources of risk and perils and whether they are covered by traditional policies or are excluded, according to a report from the US Risk and Insurance Management Society (RIMS). The report, Cyber Insurance: Considerations for Businesses, states that organisations considering standalone cyber coverage should determine whether more traditional policies provide adequate coverage. The report, authored by Teri Cotton Santos, a member of the RIMS external affairs committee and senior vice-president, chief compliance and risk officer at The Warranty Group, explores the potential for traditional policies to cover cyber events, as well as first-party coverages, third-party coverages and additional needs. “Insurance providers are challenged with trying to keep pace with the evolving cyber landscape and develop products that help clients protect their organisations,” commented Ms Cotton Santos. “Working closely with your broker can help insureds purchase coverage that addresses key risks to the organisation that can result from a cyber event.” The report notes that 80% of respondents to the 2016 RIMS Cyber Survey had purchased standalone cyber insurance policies, up 29% from 2015. This is not simply because of the increasingly high cost of a cyber breach, but also due to contractual requirements imposed by business partners. While cyber coverage may have originally been intended to address data privacy or data breach issues, the range of risk exposures presented by cyber-related events reaches far beyond this and therefore can impact any organisation, not just those that collect and store sensitive personal information. The report also points out: “The emergence of the Internet of Things and the reliance upon technology to support critical infrastructure represent a different form of risk exposure for entities such as commercial carriers and utility providers. Finally, all organisations can be subject to business interruption losses or crisis management costs, both of which are typical offerings in cyber insurance policies today.” Companies may look to more traditional policies like commercial general liability (CGL), property or crime, to provide coverage for cyber-related events. And the report points out that in some cases, the courts in the US have agreed with the insured, with coverage deemed to exist for cyber exposures under CGL, fraud or property policies. “However, coverage under such policies may diminish in the future as insurance companies write cyber risk out of traditional policies,” notes the report. “The trigger for cyber coverage is typically loss or a claim arising from either a security failure (due to a break in to the insured’s technology systems) or a privacy event relating to the unauthorised access or loss of personal information. These loss causes are ordinarily not covered by property or general liability policies, which is why companies seek standalone coverage.” Indeed, the report notes that some insurers are using an endorsement for CGL policies that excludes data breach liability. The report examines the two main cyber coverages: first-party and third-party liability. First-party coverages include network interruption/business interruption, cyber extortion/ransom, data loss and restoration, reputation/crisis management, forensic investigation costs, and regulatory fines. Third-party coverage includes privacy liability coverage, which covers the insured’s liability for breaches of the private information of third parties such as clients, customers, business partners and employees. Additional costs related to privacy events including breach notification costs and credit monitoring can also be offered in cyber packages, the report states. It notes that cloud coverage and outsourced service provider coverage for the insured are growing areas for coverage, given the levels of outsourcing. “Some insurers are offering first-party coverage that protects losses due to business interruption related to outsourced providers,” states the report. It advises that organisations that rely on outsourced vendors to manage their data should consider whether a cyber policy covers the acts or omissions of third parties. Finally, the report warns that not all policies are equal in terms of exclusions. “The insured should carefully consider language related to shortcomings in the insured’s security, which can be subjective and therefore should be avoided. Additionally, some policies exclude acts of terrorism, which may prevent an insured from recovering if an event is triggered by the actions of a hostile nation.”

RIMS advises businesses on cyber insurance needs

Want to read this article?

Read Next

Insurtech partners with USAID on climate adaptation programme

ICEYE in data collaboration with Juniper Re on flood and wildfire

Senior appointments in Lockton’s crisis management team

European rates up overall but financial and cyber lines falling: Marsh

European Parliament approves regulation to tackle forced labour

Insurtech partners with USAID on climate adaptation programme

ICEYE in data collaboration with Juniper Re on flood and wildfire

Senior appointments in Lockton’s crisis management team

European rates up overall but financial and cyber lines falling: Marsh

European Parliament approves regulation to tackle forced labour

Want to read this article?

Read Next

Insurtech partners with USAID on climate adaptation programme

ICEYE in data collaboration with Juniper Re on flood and wildfire

Senior appointments in Lockton’s crisis management team

European rates up overall but financial and cyber lines falling: Marsh

European Parliament approves regulation to tackle forced labour

Related Articles