The COVID-19 crisis has not only identified new concerns for businesses but also highlighted existing problems that either have become more critical or will be more critical moving forward.
Count the issue of cyber attacks and corresponding cyber insurance coverage while dealing with increased remote work setups and cyber criminals looking to take advantage of vulnerabilities. Companies have already started to report an alarming number of ransomware attacks in recent weeks, and having cyber insurance with the appropriate coverage can now mean the difference between a company surviving the incident and shutting down because of it.
Preparations — or the lack thereof — will become obvious when the inevitable occurs, especially during an economic downturn. Now is the time to purchase cyber insurance or make updates to coverage to make sure a business has the correct coverage and doesn’t experience any unnecessary and unpleasant surprises when responding to a cyber incident.
Your company must have cyber insurance
In reality, there is no “secure” — even with the best security measures are taken. When hackers want to get in and disrupt a business, they will.
Companies must be resilient, and the key is to have the ability to take that punch to the face, get back up, and keep the business moving forward.
Cyber insurance is critical for that by providing a company with the resources it needs to properly respond to and recover from an attack. However, business leaders need to understand the details of a policy and what it does and does not cover.
Most importantly, only policies specifically designed to cover cyber risk, cover cyber risk.
Standard insurance policies typically do not provide coverage for cyber risk. You must have a policy that is specifically designed to cover cyber risk and more appropriately, the unique cyber risks your company faces. If you do not know that you have cyber risk coverage, you probably do not.
Ignore the misinformation
Reputable carriers pay claims under cyber policies.
When a policy legitimately covers a claim, the carriers pay. We have handled hundreds of cases where insurance carriers have fulfilled their obligation and paid for the response, mitigation, notification, litigation and regulatory investigation costs. If you want an idea of how many and what kinds of cyber claims are paid each year the NetDiligence 2019 Cyber Claims Study examined over 2,000 cyber claims that had been paid.
There are exceptions and outlier cases where an appropriate claim is not paid or where the claim may fall within a gray area and coverage is not clear. This is true of all insurance for all types of risk.
Cyber is no different.
But these cases are the exception, not the rule. Unfortunately, they are the cases that usually get the most attention and create the perception that cyber claims are not paid. These situations are rare, and those who focus only on them are ignoring the thousands of cases where similar claims are paid.
One prime example of this is the commotion that was created over the use of an “act of war” exclusion to deny coverage for a cyber-related claim stemming from the NotPetya ransomware attacks on snack manufacturer Mondelez. If you read most of the articles written about this case, you will see all of the focus being directed at a carrier denying a cyber-related claim because of an “act of war” exclusion and then extrapolation from there that since many malicious cyber attacks are believed to stem from nation states or what were once nation state cyber weapons, virtually all cyber claims could then be denied using a similar “act of war” exclusion. This makes for great attention-grabbing headlines, but what you never see mentioned in those articles is that the policy at issue was not a cyber policy. It was a property policy.
Mondelez was seeking coverage for cyber losses under a property policy — a property policy that had an “act of war” exclusion that was different from the exclusions that are in most standalone cyber policies. You also do not hear the part about how insurance carriers had already paid out millions in claims for losses from NotPetya under true cyber policies.
You manage your company’s risk by honestly evaluating the probabilities, not getting hung up on the most unlikely exception. Addressing cyber risk should be no different. When you get a cyber policy from a reputable carrier, the likelihood that the carrier will cover those claims is just as high as the carrier covering any other kind of claim for which you have insurance.
You probably cannot use professionals you already know and trust unless you demand it
Cyber insurance policies typically specify that if your company has an event and makes a claim, you will be required to work with the service providers who are on the insurance carrier’s “preferred” or “approved panel” list. This means that if you already have a relationship with an experienced attorney, cyber forensic firm, PR firm or forensic accounting firm that you know and trust, you probably can’t work with them unless they are approved.
There is a good reason for this requirement.
Cyber incident response and serving as breach counsel is a highly specialized skillset and the attorney must truly have significant experience in that role or else the consequences — resulting losses for the client and the insurance carrier — can be catastrophic. Few lawyers have this experience. The insurance carriers have a vested interest in making sure the attorneys they approve have been vetted and can handle the role. This is ultimately much better for the client than if their go-to business attorneys were trying to serve as their breach counsel.
There are solutions to this problem for clients that already have a relationship with an experienced attorney, cyber forensic firm, PR firm or forensic accountant: address these issues up front. If you know who you want to work with when you are obtaining your policy, make it clear and get a policy with a carrier that will let you work with the professionals of your choosing, or, have the professionals you know and trust written into your policy.
This is not a difficult process, but the key to navigating it is to be prepared. Once the policy has been issued, it may be too late.
The best way to get the right cyber risk policy is to work with a reputable broker who is truly knowledgeable about cyber risk and cyber policies. There are a lot of brokers trying to sell cyber policies but many of them do not truly understand the policies, cyber risk, or your company’s unique needs. Make sure the broker you work truly understands cyber risk.
Contact professionals you know and trust to ask for advice on how to get the right policy that will allow you to work with them. Let them connect you with a good insurance broker who truly gets cyber risk and has the relationships that will allow them to find an excellent policy that fits your needs and allows you to work with the professionals you know and trust.