“Cyber” (network security and privacy) insurance applications are particularly challenging for agents and brokers to complete because the coverage touches on so many aspects of an enterprise and requires multiple individuals to complete various sections. These include:
- Risk managers and financial officers: general information, limits and retention options
- Information technology officers: Technical safeguards to the network such as firewalls, intrusion detection, back-up procedures, patch management and data encryption
- Privacy officers: Data encryption on mobile devices, procedures regarding paper files containing confidential information, policies and procedures regarding privacy training
- Marketing officers: Because most cyber policies offer a website media option, questions about content acquisition and clearance
- General counsel: Networks typically use third-party providers for some data backup, hosting or security; general counsel needs to review the contracts with these providers
- Human resources: May be responsible for disaster recovery or incident response.
Given this complexity, it’s no wonder that many cyber applications come back incomplete or with contradictory information.
One of the problems with cyber applications is endemic to the rating methodology itself. The largest share of the loss dollars paid by carriers has been to satisfy the state notification laws. These require companies to notify people whose personal identifiable information (PII) may have been compromised. Therefore, the insurers should be rating off the real exposure–the amount of PII an insured maintains. Instead, insurance carriers typically use revenues as a rating basis. This may or may not relate to the actual loss exposure, which differs dramatically between a hospital and a manufacturer with the same revenue.
Insurance underwriters are now trying to ferret out the true amount of PII maintained by the prospects and rate the account based on the real exposure. Some applications are now specifically asking this question. This is a difficult number to obtain for most organizations but one that will go a long way to reducing the cost of cyber insurance, even if it is only an estimate.
With cyber coverage, it is not unusual to approach a few carriers for a ballpark figure before completing an application. Typically, an experienced underwriter can give an accurate estimate of the terms, including cost from a website review and the revenues. In this way, the agent can present cyber, which in most cases may be a new coverage for a customer, in conjunction with other coverages such as the property -casualty or D&O renewal proposals. The insured can then determine whether they are interested in purchasing the coverage at that estimated price without the hassle of completing an application.
When determining a prospect’s level of risk, it may be helpful to think of the exposure in terms of “realms”:
Network: the information digitally contained within the system
Remote access: how employees not working within the network access the system’s functionality and how it is protected. Since access is typically through laptops, the protection of laptops is critical. Encryption may be the best “bang for your buck” risk management investment available.
Wireless: This is now normally well controlled. The lessons of DSW loss have tightened these controlled in nearly all instances.
Vendors: Some of the network’s functionality lies with third-party vendors who are responsible data storage, hosting, managed security, backup tape storage, etc. Contracts with these providers should be included with the application if possible and should contain hold harmless and indemnity clauses.
Although there is no universal application, most carriers are willing to work with another carrier’s application and offer a bindable quote. Although all different in format, they all have similar sections:
- General information: This section is the same as for any insurance application: name, address, years in business, etc. (One quick note on international companies: networks do not have national boundaries and trying to insure only a U.S. entity might pose a problem.) Questions may be included in this section requesting a description of services or products provided. This is one area where scrimping on information may be costly since, as mentioned above, insurers determine premium on revenues then discounted based on operations. It is critical that the underwriter has a complete understanding of the business. The more detailed the description, the better the ultimate outcome. A breakdown of sales by method (online, retail, and wholesale) is invaluable, for instance. Underwriters will penalize for uncertainty or ambiguity, so details on clients is critical since much of the pricing is determined by the amount of PII the organization collects and maintains.
- System controls:This section is typically completed by the IT department. Underwriters look for how the organization’s controls stack up against its peers so it isn’t an easy target for scammers. Questions will include technical controls (firewalls, intrusion detection and antivirus), network structure (is there a hosting company, how many data centers, how may servers, etc.).
- General security: This section may include questions regarding corporate orientation regarding digital and privacy risks. Questions such as, “Do you have a formal security and privacy program in place? Is training given to employees with regard to security and privacy?” are examples. The answers will affect the amount of credit given by underwriters because one of the elements that has the most impact on an underwriter’s comfort (reflected in the price) is management attitude and willingness to expend resources on security and privacy.
- Backup tape procedures: Many claims arise from lost or misplaced backup tapes. Networks need regular (usually daily) backup in case something devastating should happen the next day. The enterprise has the assurance that they can quickly restore the network to its previous state with little loss of data. However, by necessity, all the data on the network is now exposed to compromise. Most organizations hire an outside firm to transport and store tapes. These are picked up in a locked box which was left the night before. Another method is to ship tapes via air carrier. However, there was one claim where an airfreight carrier was used and the package with the tapes never arrived. A large loss was paid because the PII may have been compromised. Ideally, backup tapes should be encrypted. State laws, as a rule, consider encrypted data to be similar to shredded documents which do require notification.
- Website media and extortion: As cyber insurance evolved, insurers added coverages addressing specific loss instances. Cyber extortion and website media are two examples. Cyber extortion primarily occurred in the mid 1990s when thieves would steal data and extort the organization for money. This quickly fell out of vogue since there had to be a physical exchange and law enforcement was able to exploit this and capture perpetrators. Website media is a standard cyber coverage because some general liability policies may not appropriately cover this new form of advertising, particularly if the company can be construed as being in the business of advertising. Therefore, the application asks questions regarding content: Who creates it? If not original, how is the company protecting itself against copyright suits?
- Claims: When asked if anyone ever tried to break into his system, one CIO checked his watch and said, “There are about a dozen right now; school is out.” If the answer to any of the claim questions is “Yes,” a narrative is mandatory. It may be that privacy losses are a regular occurrence. For instance, hospitals can use an incorrect email and send personal medical information to the wrong person. A short narrative will put the underwriter at ease and also help fix an appropriate deductible amount.