Getting cyber insurance is a complex process, experts warn

Applying for any kind of insurance coverage requires answering the carrier’s questions or filling out an application form.

Generally, for something like auto or homeowners’ insurance, the form is fairly simple, asking about the number of miles your drive or how close your home is to a fire hydrant.

Filling out an application for cyber insurance is much more complicated, said Judy Selby, managing director of BDO Consulting, as she moderated the panel titled “You Finally Bought the Cyber insurance Policy. Now What?” as part of ALM’s cyberSecure conference on Sept. 27.

Panelist Scott N. Godes, partner with Barnes & Thornburg LLP, noted that filling out the application correctly, to the best of a company’s ability, is critical. In some cases, the carrier’s lawyers could advise the carrier to rescind the policy if any of the answers turn out to be wrong.

Dan Twersky, assistant vice president at Willis Towers Watson, also on the panel, explained that for cyber insurance, whether a renewal or a new purchase, in-person interviews are part of the underwriting process. It’s important to be prepared for the interview, he said, and to understand the information included in the applications. That may mean having the chief information officer or chief information security officer participate in filling out the application and in the interview.

The questions in the applications vary, Selby noted, but most want to know the level of network security, whether you have good firewall in place, and whether you use intrusion detection software. The applications also address the issue of training on data security and procedures, as well as whether a redundant network is available for backup.

Vendor management issues

“You need to have a program, policy and process in place for vendor management across all vendors,” said panelist Lee Tenny, vice president and global head of vendor risk management at First Data Corp. The program has to include all possible points of risk, including back-door entry points, he added. Tenny’s company has a process in place to vet all vendors, which recently included the vendor installing new toilets in their office building. Surprisingly, the toilets turned out to be WiFi-enabled, requiring Tenny to initiate his risk management process in regard to this vendor.

The panel agreed that vendor contracts should spell out who is responsible for the consequences of a breach involving data that the vendor holds. Godes noted that in his experience, large-scale policy holders generally work with their insurers to cover third-party vendors.

Selby pointed out that the New York State Department of Financial Services recently proposed regulations on cybersecurity that include strict rules on vendor management that banks, insurance companies and other financial services firms will have to comply with.

Business interruption concerns

Drew T. Olson, a director at BDO Consulting, said that he hears a lot of complaints from clients about the terms and conditions for business interruption coverage in cases of data breaches or cyber attacks. “The business thinks in terms of three- to five-minute increments,” he said, “while the policy says that your system has to be out for 12 hours before coverage begins.” For some businesses, that 12 hours can ruin the company.

Olson said he believes the industry has to come up with better waiting-period language to reflect the reality of internet-based businesses. He suggested that the focus be similar to waiting-period language in property insurance policies.

The panel agreed that there is room for compromise and negotiation with cyber policies. More than 65 companies offer the coverage, and their forms vary. It’s clear that companies that want cyber coverage will be able to find it, with varying premium costs and coverage limits.

As a member of the audience commented, “It’s incumbent on the broker to negotiate the terms and conditions that best fits the client’s needs.”


. . . . . . . .

Leave a Reply