About three thirds (76%) of companies currently have cyber insurance, but less than a third of them (32%) get policies that cover all risks, according to two representatives from insurer RLI Corp. who spoke during this week’s (ISC)2 Security Congress 2018 in New Orleans.
While having a cyber policy is always a good idea, there is a fair amount of complexity that makes it difficult to determine how much coverage you need. Often third parties such as cloud providers are involved, creating coverage nuances that companies must be aware of when taking out a policy. Beyond that, companies often don’t have a good grasp on all their assets, or how much risk they can sustain, and as a result base their coverage on budget, rather than how much a cyber event would cost them.
Currently, there is no standardization in cyber policies because the practice is still relatively new, the language contained in them is often outdated because of technology advances, and even basic insurance definitions vary from policy to policy, said Sean Scranton, cyber liability national practice leader at RLI. Carriers, he said, are still trying to understand cyber assets and how to cover them, which is complicated by the fact that the landscape changes every 12 months as result of technology, legislation and coverage practices.
Understand Your Risk
Despite the challenges, Scranton said companies should have a handle on their cyber risks to determine how much coverage to get. But he acknowledged quantifying cyber risks is difficult. The costs of cybersecurity incidents vary, and as of yet there isn’t a lot of data available to help assess risks.
Since it’s hard to assess risk, often companies base coverage decisions on budget considerations. This, of course, is an imperfect approach, and Scranton said he looks forward to the day when clients come to him with exact figures because they’ve calculated their risks.
According to the Ponemon Institute, companies spend anywhere from $3.86 million to $7.91 million per incident. NetDiligence estimates that incidents on average cost $394,000, though the number jumps to $3.2 million for large companies.
Small and midsize companies typically take out policies for less than $1 million. At that level, Scranton said, policies tend to be commoditized, without much room for clients to get choosy about coverage. Some customization is common in policies of up to $10 million, and those exceeding $15 million typically are pretty specialized.
Know What You’re Getting
Scranton and his partner, Morgan Moore, advised Congress attendees to inform themselves about their cyber policies. For instance, remember that if you have a $1 million deductible on a $10 million policy, the insurance will pay out $9 million if the claim reaches the $10 million limit.
Scranton advised companies to take care when filling out policy applications, making sure all information is correct. False information is a common reason insurers deny claims. Other reasons include making changes to your security posture without informing the insurer and failure to notify the insurer in a timely fashion of an incident.
Scranton and Moore also shared a list of exclusions that often apply to cyber policies, such as third-party service providers, malicious activity by employees and reputational harm. Large companies, however, can negotiate some of these exclusions so long as they are willing to pay more for extra coverage.