6 minute read
The number of cybersecurity incidents continues to increase, with the average cost of a data breach in 2022 reaching an all-time high of $4.35 million, up from $3.86 million in 2020. In addition to the increasing number of incidents, there have been several large-scale systemic vulnerabilities (e.g., Kaseya and Log4j) that had wide-ranging impacts across industries and geographies.
Here, we have outlined 10 things you need to know about cybersecurity insurance and managing risk in the wake of these incidents.
Cyber warfare is likely to remain on the agenda of the international insurance market following Not-Petya and against the backdrop of the Russia-Ukraine conflict, with the London Market releasing a suite of clauses with a view to exclude cover for cyber warfare.
Considering the recent developments, it is unsurprising that the cyber insurance market has hardened, including higher premiums and more stringent requirements for potential insureds trying to obtain coverage. Accordingly, when seeking to purchase a new policy or renewal, companies should begin the process well in advance of any expiration dates and should consider conducting an internal assessment of their cybersecurity practices (ideally one conducted by counsel for the purpose of providing legal advice).
A cyber extortion request (e.g., ransomware attack) and associated expenses (such as use of a bitcoin broker and a ransom negotiator) carries substantial cost to an organization, with some ransoms reaching the tens of millions of dollars. Prior to an incident, policyholders should check to confirm (a) the existence of, and any sub-limits on, their coverage for ransom /cyber extortion payments as well as (b) the prerequisites to obtaining prompt indemnification of any covered ransom payment.
If an incident occurs, increased concern regarding payments to sanctioned entities, see, e.g., OFAC Guidance has prompted many carriers to tighten their requirements before agreeing to indemnification. Policyholders should ensure that timely notice is provided to the carrier and that all necessary consents are obtained prior to any negotiation or payment.
The insurance market has been increasingly focused on the issue of “silent cyber” or non-affirmative cyber, where coverage under traditional policies such as property, personal injury, D&O or professional liability may be triggered by a cybersecurity incident (and not explicitly excluded). For example, a publicly traded company suffers a cyber security incident, leading to a drop in the stock price and triggering a securities class action or a malware attack causes systems to overheat and explode, causing property damage and personal injury. To combat the issue of silent cyber, carriers have incorporated ‘absolute’ cyber exclusions to some of those policy wordings. Often, carriers will attempt to mirror coverage in a cyber product to avoid double insurance. This approach often creates gaps between that which is covered under the policy and throughout the rest an insurance portfolio. Policyholders should check exclusions in detail for any anomalies, including any broad exclusions which impact the application of specific policies, such as exclusions for forms of incidents or vulnerabilities.
The recent rise in ransomware attacks has shown that supply chain and contingent business interruption risk are challenging to assess and manage. Cyber business interruption varies significantly across carriers and policyholders will need to check how certain aspects of that coverage is triggered. Some may have longer restoration periods and waiting periods, others may not provide coverage for increased cost of working or additional costs. Policyholders should stress test different forms of business interruption scenarios including the potential daily losses associated with downtime and ensure that their current business interruption coverage is co-extensive with those potential losses.
Generally, cyber insurance offers privileged access to expert vendors, including law firms, cybersecurity forensic firms, data restoration specialists, PR & comms, and threat actor negotiators. Policyholders need to ensure that those vendors offered are suitable for the size and scale of their organization. As policy excesses increase, so may the autonomy in selecting those vendors. Accordingly, policyholders should take advantage of the opportunity to ensure that their preferred vendors are pre-approved with their carrier. And in selecting vendors, policyholders should make sure that they have the appropriate engagement processes in place to enable speedy activation and preservation of applicable privileges.
The cost of a data breach has risen dramatically over the past few years, and it is likely that insurers will focus on aggregation in the coming years. In particular, combining multiple covered incidents or a systemic cyber incident under one policy limit. Policyholders should check whether they have adequate limits to deal with large scale data breaches or multiple breaches in the same year. This is particularly important where a policyholder’s cyber limit is shared with other coverage (such as Tech E&O).
As the cyber insurance markets harden, so we would expect cyber insurers to impose stricter compliance standards for insurability (as opposed to simply using an insured’s security posture to price the risk). More and more obligations will be imposed on policyholders prior to inception such as backup storage, data protection training and MFA. Non-compliance with specified terms of an insurance policy may result in insurers declining to issue a policy. In some edge cases, insurers have denied coverage on the basis that an insured misrepresented its security posture in its application. Policyholders need to be clear on the representations they are making of their own systems and what further obligations are being signed up to at policy inception.
Dependent upon the policy wording, losses arising from incidents occurring prior to the retroactive date may be excluded, even if the incident is not discovered until after such date. If that incident precedes any retroactive date, then coverage may be impacted. Policyholders should consider working with their broker to push a retroactive date earlier to try to encompass vulnerabilities that policyholders may have already been aware of.
As a corollary to the concern around “silent” cyber, it is important for the policyholder to consider how cyber risk may be impacted in their wider insurance portfolio and to ensure that knock-on effects (third-party claims, regulatory investigations, securities litigation, loss of business) are addressed at adequate limits. Policy holders should work with their broker to consider whether any other carriers should be notified in the event of an incident to ensure that an organization does not fall foul of any notification provisions.
Policyholders should ensure that they continue to benefit the product which they are paying for. Regular conversations with brokers are critical to ensure that the policy responds in the way expected. Cyber insurance policies still vary greatly between carriers, so the greater knowledge that an insured has of the product, the far better it will respond when the time comes.
If you have questions about your cyber insurance policy, please contact the authors for more information. If you are experiencing a cybersecurity incident or need help determining if your network has been compromised, email us at [email protected].