Cyber insurance mistakes that have cost risk managers their job
June 2018 | EXPERT BRIEFING | RISK MANAGEMENT
In the last few years, an alarming number of risk managers have lost their job because of mistakes they have made related to their cyber insurance programmes. The unfortunate thing is that, unlike a company’s ability to stop a breach, avoiding costly mistakes with a cyber insurance policy is possible.
Failing to appreciate the importance of the cyber insurance application
One of the more common mistakes risk managers make with their cyber policies is failing to understand the importance of the application. The definition of ‘application’ in a cyber policy is important because the application is the foundation for the coverage. If material information is omitted or misstated in the application, it may constitute application fraud and could result in rescission of the policy or a denial of coverage for a claim.
A cautious risk manager must take care to share the application questions with management, the IT department and any other relevant persons to ensure the answers are 100 percent accurate. If a yes or no response is not appropriate, a risk manager must take the time to explain the full answer in attachments to the application. Because this issue is so important, it is advisable to get legal counsel involved.
Failing to know about the duty to defend
Most cyber liability policies are written on a ‘duty to defend’ basis. This means that decisions such as which law firm to use, whether and how to defend a claim and on what terms a claim should be settled are determined by the insurance carrier and not the insured. Although this is fine for some, many companies may be uncomfortable with this arrangement in the event of a large breach or regulatory matter that may determine the future of the company or severely tarnish the company’s reputation.
To avoid this situation, risk managers should carefully review defence arrangements with the board, general counsel’s office and IT department in advance of a claim. If the company has a specific law firm or vendor that it wants to use, it should negotiate this prior to renewing its coverage. Often, insurance carriers are willing to allow the use of a specific law firm or vendor if the issue is raised at renewal. Underwriters have strong incentives to accommodate such requests. Claim adjusters, however, do not.
Failing to secure coverage for social engineering fraud
Another common and potentially costly mistake made by risk managers in recent years is the failure to obtain coverage for ‘voluntary transfers’ related to social engineering fraud or phishing attacks.
There are many variations on this scam but essentially, the chief financial officer (CFO) receives what appears to be a legitimate email from a client or vendor asking him or her to wire money to an account. The email often looks completely real and, in fact, is often the result of a hacker breaking into the client’s or vendor’s system, allowing the hacker to send messages from the client’s or vendor’s actual email address. Only after wiring the money (often multiple transfers and increasingly larger sums) does the CFO learn that he or she has become a victim of fraud.
Unfortunately, many companies are not covered for this type of loss even if they purchase cyber liability insurance coverage. Most cyber insurers will not cover this loss because it was not the insured’s system that was hacked – instead, it was a client’s or vendor’s system that was breached. Without a breach, there is no covered loss under the policy despite the obvious fraud on the insured.
Adding insult to injury, the typical crime/fidelity bond policy will also not respond because there is no ‘theft’ in a social engineering scam because the insured ‘voluntarily gave’ the money to the scammer. Many crime policies specifically exclude any ‘voluntary transfer’ of money from coverage. This exclusion applies even though the CFO was tricked into wiring the money.
The most frustrating and unfortunate part of this situation, is that coverage for this type of social engineering fraud is generally available upon request from most crime policies and some cyber liability insurance policies. Moreover, there is usually only a nominal additional premium required for the coverage.
It should be noted that cyber policies with at least some coverage for social engineering is not enough. Recently, one cyber insurer has started offering higher limits of coverage for social engineering fraud provided that the insured has and follows a multi-factor authentication process prior to wiring any funds. While this may sound attractive, and many risk managers have purchased this coverage, the reality is that if a company is following a multi-factor authentication process, it is extraordinarily unlikely that the company will be the victim of a social engineering fraud. In other words, the ‘extra’ coverage only serves to provide the insurer a reason to deny coverage because the company failed to follow the multi-factor authentication process. This can leave the company with even less coverage than if it had not purchased the coverage ‘enhancement’.
Failing to negotiate the excess policies
Most cyber liability insurance programmes with more than $10m in limit will require an excess ‘follow form’ policy. Despite their name, few excess policies truly follow the terms and conditions of the primary insurance policy. Instead, most excess policies will add various terms and conditions that have the potential to significantly impact the overall protection provided by the cyber insurance programme of insurance.
Notwithstanding the potential impact that these added terms and conditions may have, excess policies are often wholly neglected. Insureds fail to analyse or negotiate their excess policies for many reasons. Sometimes, they just assume the excess policies are all the same and they just pick the cheapest one. Often, they just run out of time to deal with the excess policies as the renewal date approaches.
This makes little sense because, once the limit of liability of the primary policy is exhausted, the excess policies will be very relevant to whether a claim will continue to be paid. In fact, in a large insurance programme, the excess policies often constitute the vast majority of the limit of coverage.
Bonus tip – plan for the GDPR
The General Data Protection Regulation (GDPR) is scheduled to come into effect on 25 May 2018. The law impacts all businesses that provide goods or services to individuals in the European Union (EU), regardless of whether the business has stores or processes data within the EU. The maximum fine for not complying with the GDPR is €20m (roughly $23.7m) or 4 percent of a company’s worldwide revenue (not profit), whichever is greater.
Although cyber insurance can provide protection for fines and penalties, it is not clear whether the current language in many cyber policies will cover the fines and penalties related to the GDPR.
The time to clarify this coverage is now. At least one insurer has provided a specific endorsement to make it clear that its cyber policy will cover any fines or penalties related to the GDPR. Without such an endorsement, a company may find itself uninsured – or at least stuck in a battle with its carrier over coverage. Risk managers that have the foresight to add this coverage before a claim occurs could save their companies millions of dollars. Those risk managers that fail to at least investigate whether the coverage is available may be looking for a new job in the event of a claim.
Cyber insurance is changing rapidly with new policies and coverage grants appearing on a regular basis. Risk managers have the tough job of needing to stay current on new and constantly changing coverage and keep their board informed of the coverage that they have. Too often, boards are content simply knowing that they have a policy and the overall limit of coverage they purchase. This is not enough and can prove costly to both the company and the risk manager. Although difficult, a well-informed risk manager can save the company after a cyber breach. Perhaps just as importantly to the risk manager, taking the time to understand and negotiate the company’s cyber insurance coverage may just save his or her own job.
Thomas H. Bentz, Jr is a partner at Holland & Knight, LLP. He can be contacted on +1 (202) 828 1879 or by email: firstname.lastname@example.org.
© Financier Worldwide
Thomas H. Bentz, Jr
Holland & Knight, LLP