Ten Things to Know About Cyber Insurance (But Were Afraid to Ask)
With increased reliance on technology in a digital world and as cyber threats continue to proliferate, cyber insurance has quickly become essential policies for any robust program. During the past two decades, the cyber insurance market had rapidly expanded and has been accompanied by intense competition among insurers. As the scope of cyber coverage continues to develop and evolve, policyholders must tailor the coverage to their needs and not rely on a one-size-fits-all approach.
Below are ten key considerations for securing cyber insurance coverage with practical insights to guide your organization through the complexities of cyber risk management.
- The Cyber Insurance Applications: A Delicate Balancing Act
The cyber insurance application process often differs significantly from other lines of coverage. Insureds should expect a far more intense underwriting process and plan accordingly. Unlike other types of insurance where basic financial information may suffice, many cyber insurers will require detailed information regarding security protocols, vendor relationships, data handling processes and incident response plans. Critically, insurers have been able to point to misrepresentations in the application to deny coverage for major losses. To mitigate this risk, the application should be carefully reviewed by a variety of internal stakeholders across the IT, risk management and legal departments. When completing the application, if a question seems unclear or cannot be answered with a simple checkbox, policyholders should take the time to provide additional context or seek clarification. Providing a more detailed explanation ensures that the insurer fully understands the risk and, in some instances, can even result in more favorable terms or reduced premiums. - Essential Elements Of The Cyber Insurance Policy: What Your Policy Should Cover
As there is no standardization, the scope of coverage under cyber insurance policies will not be identical from one policy form to the next. However, there should be some commonalties. Most cyber insurance policies will cover both first-party losses and third-party claims. First-party coverage typically includes breach response, data loss and restoration and business interruption due to cyber incidents. Third-party coverage, on the other hand, extends to third-party claims such as regulatory suits and privacy liability claims. In analyzing what is covered, organizations should consider whether they are vulnerable to specific risks and tailor the policy coverage accordingly. - Understand The Fine Print: Exclusions and Hidden Limitations
Unsurprisingly, cyber insurance policies, like all insurance policies, contain exclusions. Because of the lack of standardization of cyber insurance policies though, an important point is that insurers may be willing to modify or even delete certain provisions. One key aspect in reviewing exclusions is seeking to narrow the prefatory language of the exclusion: subtle differences in this wording can dictate whether coverage exists. For instance, ideally the exclusions will be narrowly tailored “for” specified claims and losses and not extend to claims and losses “arising out of, directly or indirectly, in whole or in part” various causes. Further, in addition to what is in the exclusion section, policyholders should equally consider hidden exclusions in the form of sublimits or limitations to definitions. - Retroactive Coverage: Guarding Against Latent Breaches
A cyber incident or breach can go unnoticed or underappreciated for months or years. In that regard, it’s critical for insureds to try to maximize retroactive coverage and avoid policy limitations or exclusions that eliminate coverage for incidents taking place before a specific date. Organizations should seek to ensure that the policy extends to incidents discovered during the policy period regardless of whether they occurred before the policy took effect. - Mitigating Risks From Social Engineering Attacks
Social engineering attacks, such business email compromises, involve fraudulent attacks manipulating or tricking individuals into divulging information or performing actions that compromise security. In 2022 alone, the FBI’s Internet Crime Complaint Center (IC3) received complaints with losses totaling more than $2.7 billion from business emails being compromised. Two of the most common attacks leading to losses involve funds transfer fraud and invoice manipulation fraud. Funds transfer fraud occurs when a criminal actor convinces a company to transfer funds to a fraudulent account. On the other hand, invoice manipulation fraud occurs when a criminal intercepts and alters a legitimate invoice sent by a vendor, leading the customer to unknowingly pay the fraudster. Under such circumstances, the customer may not face further liability because there was good-faith payment on an invoice presented by the provider. Given their prevalence, organizations should ensure that both styles of attack are covered. Additionally, policyholders should avoid policy language that requires burdensome manual payee identity verification procedures and watch for sublimits that provide an insufficient level of coverage. - Ensure Appropriate Coverage For Ransomware Attacks: Looking Beyond the Ransom Payment
Ransomware attacks have become increasingly common and affect businesses of all sizes across various industries. When considering ransomware coverage, it is essential to look beyond just the ransom payment. While paying the ransom may seem like the immediate issue, the true financial impact often lies in business interruption and the cost to restore data and systems. A robust cyber insurance policy should cover these extended costs, including recovery efforts, forensic investigations and lost revenue during downtime. Additionally, policyholders should have a say in the decision of whether to pay a ransom, as insurers sometimes reserve control over this determination. Another key issue relates to “war exclusions.” These exclusions gained a lot of attention following the NotPetya attacks when some insurers asserted them to deny coverage based on the theory that the attack was caused by a state-sponsored actor. Policyholders should seek to modify these exclusions so that they are limited to losses resulting from or in conjunction with kinetic war. - Covering The Regulatory Landscape
The regulatory landscape for cyber risks is constantly shifting. In addition to the General Data Protection Regulation out of the European Union, nearly 30 states in the United States have adopted comprehensive cybersecurity statutes with more to come in 2025. With major differences between the various statutes, businesses need to ensure that their cyber insurance policies reflect these differences and anticipate potential regulatory changes. Companies should seek to obtain coverage in their cyber insurance policy for fines and penalties. Additionally, organizations should try to avoid language that ties coverage to whether fines are “insurable” under the laws of a particular jurisdiction. - The Intersection of Cybersecurity Events and Securities Claims
In 2023, the SEC adopted new cybersecurity disclosure regulations, mandating timely and transparent reporting of material cyber incidents and risk management processes. With increased regulatory scrutiny on cybersecurity practices, D&O claims have started intersecting with cyber claims, particularly in the context of alleged securities law violations. In such cases, both cyber and D&O policies may come into play. To avoid gaps in coverage, companies must take a holistic approach in purchasing D&O and cyber insurance policies. - Integrating Cyber Insurance into Your Incident Response Plan
Cyber insurance should not be an afterthought in an incident response plan. This means understanding notice requirements, documenting all losses and expenditures and securing pre-approval for legal and forensic vendors. Failure to adhere to the policy’s technical requirements could lead to the insurer denying a claim or a portion of it. Ensure you are aware of such provisions and work with your insurer to obtain pre-approvals before incurring significant costs. - If The Insurer Denies Coverage: Strategies for Insurance Recovery
If a cyber insurance claim is denied, policyholders should not sleep on their rights. As an initial approach, present a well-prepared case with supporting documentation and lean on any business relationships you or your broker have to seek a favorable resolution without the need for litigation. If that fails, before proceeding to litigation, consider whether the insurance policy contains any alternative dispute resolution (ADR) provisions. If litigation becomes necessary, consider whether there are any forum-sensitive issue and whether the law of one state may be more favorable than others.