Cyber insurance: Understanding the legal language

CROs worried about cyber risk are increasingly turning to cyber insurance to offset risk. But is the cover as black and white as it first seems?

Chief risk officers (CROs) and others worried about cyber risk are increasingly turning to cyber insurance to offset their risk. But is the cover as black and white as it first seems?

A recent report, titled Managing Cyber Security as a Business Risk: Cyber insurance in the Digital Age, by the Ponemon Institute revealed some interesting findings about cyber insurance cover.

It showed a very high satisfaction rate by those who have cover, and reported favourably on those who intend to purchase cover soon. However, the main reason for not purchasing cover was expensive premiums, closely followed by too many exclusions, restrictions and uninsurable risks.

The latter point has been highlighted in two well-publicised law suits, the first between Sony and its insurer (Zurich American), and the second between Schnuck Markets and Liberty Mutual Insurance. Both of these cases highlight the need to clarify any grey areas of coverage before purchasing cyber insurance.

These grey areas sometimes arise where a purchaser has a lack of understanding of the way a business works, along with a failure to grasp the limitations and exclusions of the various policies on offer.

Limitations of cover

When considering the limitations of cover it is important to identify the worst case scenario and then work back to establish the cover required. It is important to consider electronic assets, but do not forget physical assets and how they may be damaged in an incident.

You will need to understand the cause and effect of a likely incident, and what event would give rise to a claim. Consider the territories that are covered, especially where the damage may occur and where the assets may reside. This is very important in relation to a cloud service where the data may be located overseas in a different jurisdiction.

More on cyber insurance

The actors involved in causing the damage need to be thought through to ensure that the actions of both insiders and outsiders are covered, not forgetting the supply chain and suppliers to your suppliers. Consider the maximum cover required for a single event as in some cases a series of linked events may be classed as a single occurrence, which in turn could affect your insurance cover.

Know your assets

Do you really understand the assets of your business? The value of an asset could change overnight (for example, a patent may expire) or you could suddenly inherit some new, valuable assets that you had not considered before. How quickly can you flex your cyber insurance cover to cope? 

Understanding the value of data assets is sometimes difficult, but forms an essential part of a well specified requirement of cyber insurance.

Other policies

Understanding other insurance cover you already have and what it does or does not cover can make a big difference to your policy requirements. Some policies cover limited cyber risks as part of their broader remit, something often found in professional indemnity policies. If this does provide suitable cover, then maybe an additional cyber policy is not required, but check the wording carefully to ensure you understand any policy limitations.

The findings of the Ponemon report echo the policy analysis undertaken by Incoming Thought in the UK. Taking a detailed look at definitions, terms, exclusions, cover and expenses under the type of cover, one comes to the firm conclusion that the policies have sometimes been written in an overly legal way.

While the insurance companies need to manage their risk, the average CRO looking to purchase cyber insurance can find it difficult to get their head around.

The Ponemon report found that, on the whole, most existing policy holders feel that their policy is fairly priced, they would recommend it to others and they have a good relationship with their insurer, which must give some comfort to the industry.

What we need is some better clarity in policies, and a joint agreement of some terms. What we do not need is for the courts to make the clarification, as this will be expensive for all.

Sarb Sembhi is client services director at Incoming Thought.

Read more on IT risk management