The first insurance product related to cybercrime was developed in 1997 and protected against the hacking of websites. Since then, things have gotten more complex. Today there are many more ways to cause harm through the Internet and the consequences are more wide-ranging, including expensive violations of state and federal privacy law, theft of trade secrets, and the total shutdown of a business as evidenced by the recent hacking into Sony Pictures’ network systems. Not only are large corporations like Sony Pictures, Home Depot, and Target vulnerable; small firms that conduct business through the Internet and store sensitive client information on networks are vulnerable, too, such as law firms that collect personal information about clients for billing purposes.
The following 10 tips will help you start an important conversation between your firm and Narver Insurance to craft a comprehensive cyber-liability insurance policy to protect the assets your company has worked hard for.
- Ask for retroactive coverage. Your firm needs to have coverage for a breach that occurred before you were aware it happened. Retroactive coverage insures prior unknown events that result in claims or expenses during the policy period. Think Target or Home Depot, neither of which knew that they were breached until many months after the event occurred. Retroactive coverage can be negotiated for one, two, five or 10-year periods and some insurers offer unlimited coverage. Be aware that some insurers do not offer this coverage.
- Review the limits and sublimit clauses in the policy to ensure that they are adequate for your firm’s needs. Pay attention especially to the limits for crisis management and regulatory action expenses such as fines for state and federal privacy act violations.
- Third Party coverage is essential. Does it include an Errors & Omissions section? The policy should have language stating that the Insurer shall pay for all losses incurred as a result of any alleged failure to protect confidential information in the care, custody, and control of your firm or of a third party to which your firm has provided confidential information. If your firm handles data for any other entities, make sure your liability to them is covered as well.
- Know upfront and understand what exclusions Many policies deny coverage for un-encrypted laptops or mobile devices. Some have a “wild virus” exclusion that means coverage would apply only to a cyber-attack aimed specifically at your firm, as opposed to viruses circulating over the Internet that are “wild” and not directed at any particular entity – but that can still can damage your networks, leaving you liable for loss of data and breach of privacy.
- Have policy coverage language to include not only loss from a breach (or “hack”), but also due to destruction (intentional or accidental) and not just for the loss of data but for unauthorized access, acquisition, use, disclosure, or loss of confidential information.
- The policy should say that the Insurer will pay for the Insured’s expenses NOT arising out of a claim, but INSTEAD in response to an actual or alleged security breach.
- Examine your business loss policy. Is your coverage triggered by a complete shutdown of business operations, like Sony Pictures, or interruptions of business operations?
- Harmonize cyber insurance with your other indemnity agreements. At Narver, we want to make sure if you waive/cap your indemnity rights against vendors that the insurer does not deny you coverage. If you have a cloud vendor, pay particular attention to the indemnification clauses in their contracts; most refuse to indemnify.
- Synch your cyber insurance with your other insurance and vendor’s insurance policies. Narver will help you review your agreements with vendors and make sure your policy’s “other insurance clause” states that their policy will apply first.
- Negotiate liberal defense provisions. Are there “panel” and “consent” provisions requiring that your firm must use the insurance company’s pre-approved forensic consultants and defense counsel so that there are no misunderstandings of “prior consent”? Ask for policy language that the insurer consent should not be unreasonably withheld. If there is concern about payment rates of professional fees, negotiate that upfront.
If you approach your insurance needs with this type of broad understanding, Narver will be able to negotiate coverage that protects you and is reasonably priced. But don’t leave your company under-protected. With the growing threat of Internet crime, you can’t afford to operate with the wrong coverage.
Tags: Cyber Crime, Cyber Insurance, Insurance Policies, Security Breach