Cyber, he said, “is one of the fastest moving and changing industries we have ever seen. New threats emerge that are difficult to defend against, and it is even more difficult for insurers to predict accurately a premium that provides appropriate cover at a price that is both affordable and delivers value. As a result, we continue to see premium volatility and exclusions.”
Indeed, given a lack of granular data, several experts say it is crucial for organizations seeking coverage to comb through the fine print, so they don’t end up paying for what Lynda Bennett, chair of Lowenstein Sandler’s Insurance Recovery Group calls “illusory” coverage.
“Exclusions in cyber policies are a significant challenge, especially because exclusionary language is often embedded in the definitions section of the policy and elsewhere,” she said. “There are some policies that have so many enumerated exclusions and hidden exclusions in the definitions section that companies must carefully evaluate whether the insurer intends to provide any coverage at all.”
Gottschalk said she has not seen any “meaningful increase” in premiums in the small-business segment. But, she said, “costs could vary drastically between those and larger businesses. Because cyber insurance covers a wide range of costs incurred from a data breach, including credit monitoring services and investigation fees, insurers could be increasing premiums on larger businesses.”
In short, experts say given the complexity and uncertainty of the market, their best advice to those looking to buy cyber insurance is: Don’t try it alone. Seek professional help – both to figure out what kind of coverage you need, and to help comb through the fine print.
This requires, “knowledgeable risk managers, brokers and coverage counsel,” said Elliott Kroll, a partner at Arent Fox and chair of the firm’s Insurance Practice Group.He said a number of recent court decisions have demonstrated that, “even large, sophisticated companies have failed to adequately assess the coverages provided by the cyber policy that they purchased in connection with their risk profile.”
Bennett agreed. “The market remains very much in flux and there are many traps for the uninformed,” she said. “Policyholders must conduct careful diligence before soliciting quotes from insurers.”
Stephen T. Raptis, a partner in the insurance recovery practice at Manatt, Phelps & Phillips, has a list of recommendations for his clients, which could be summarized as: Do your homework and don’t be shy about negotiating. They include:
- Review specimen policy forms – very carefully – from multiple insurers to get the broadest coverage possible, paying special attention to language that could signal coverage gaps.
- Use the most favorable language from each form as leverage when negotiating with competing insurers.
- Be as complete and accurate as possible when completing the policy application. Don’t be afraid to ask broker or insurer for additional explanation or help in simplifying the application process.
- Seek out insurance brokers that are experienced in placing cyber policies.
- Pay close attention to any “retroactive date,” which may eliminate coverage for losses arising from events that precede it. Seek to have the retroactive date backdated as far as possible.
- Be wary of war and terrorism exclusions that eliminate coverage for cyber attacks from foreign countries with political, religious or social motivation, or for personal gain.
- Be wary of open-ended exclusions applicable to a policyholder’s failure to follow minimum required security practices or its own security protocols.
Sign up for CIO Asia eNewsletters.