Early in the new year is the right time to ring in new healthy practices for your business. Asylas recommends taking time each year to review your cyber liability insurance policy.
There is consensus across experts in cyber security that the pandemic spurred on an increase in both the number of attacks and the severity of those attacks. That trend is expected to continue into 2021.
Due to these threats, the cyber insurance market continues to grow and evolve. What was a $9.5 billion business in 2019 is projected to grow to at least $20 billion by 2025.
As the market tightens, the underwriting process is getting more intense. Insured companies are under more pressure to prove their resilience to attack during the application process. And insurers are relying more heavily on analytics to assess potential exposures and to determine limits to coverage. Some carriers are also considering ransomware sub-limits as well as co-insurance or even supplemental policies for ransoms.
Take time during Q1 to consider your risk position and the plans you need to have in place to defend your business. Here are six areas to examine.
1. Review Your Original Application for Coverage
If you do nothing else on this list, do this step! Dig out the original policy paperwork and review any declarations that were made at the time of application for coverage. These might include the type of equipment you use, your security protocols, the location of your office(s), the number of employees, and annual revenue estimates.
The application may have been completed before you were in your role. Your IT staff may have turned over completely. It’s possible that your current staff is not aware of what was disclosed on the original application. This is an unacceptable position that will leave you flat footed in the event of a potential cyber liability claim.
Most importantly, make sure you are keeping up with the security practices and maintenance procedures outlined in the application. You must “meet or beat” the systems disclosed in your original declaration or you risk claim denial in a breach.
2. Review Your Claim Requirements
Certain actions require prior approval from your policy provider to be considered valid for reimbursement. Review what is required and make sure all relevant employees are aware. Prior approval is likely required for ransoms or other extortion expenses; attorney fees; reputation control during a newsworthy event; and other large costs.
Know how quickly you must provide notice of a potentially qualifying event. Your policy should outline how long (30 day, 60 days, etc) you have to let your provider know about a breach, hack, malware attack, or DDOS event that will incur cost.
3. Review What Is Not Covered
Most cyber liability policies do not cover damaging events caused by the environment in which your technology exists. Fires, explosions, lightning, wind, floods, earthquakes, airborne pollutants, and acts of God typically fall under general liability policy coverage. Make sure your business is adequately protected by these other types of insurance too.
Be mindful of “silent cyber.” Because cyber liability insurance is a relatively new product in the marketplace, many claims have been filed under general liability policies that failed to overtly exclude business interruptions caused by hacks and breaches. These loopholes are being closed by carriers to avoid over aggregation. In short: Don’t rely on any policy to cover a cyber attack that is not specifically a cyber liability policy. Companies have gotten away with this in the past, but insurance providers are cracking down.
4. Consider Additional Supplements or Changes
Has anything changed about your business or the environment in which your business functions in the last year that would merit changes or additional policy supplements? If you have added or removed physical locations or seen a large shift to work-from-home among your staff, you may need to make a policy adjustment.
Acts of terrorism are not always covered under cyber liability policies. Are you functioning in an area of the world or a business sector that has newly become a target for terrorists? Consider adding a supplemental policy to address this threat.
Ransomware insurance supplements are also on the rise. If your business sector has seen a rise in ransomed assets, review what your policy will and will not cover. Find out if a supplement is appropriate.
5. Review and Update Your Crisis Management Plan
After reading (and possibly updating) your policy, you’ll be well versed in the requirements for making a claim. Claims must be submitted rather quickly and with detailed proof of all circumstances leading up to the qualifying event. Make a plan for how you will handle this crisis now.
A good crisis management plan includes an inventory of all company equipment, as well as protocols for all system and security logs. Verify that this inventory is up to date and identify which employee(s) are tasked with maintaining it.
Have a plan for preventing additional loss or damage in the event of an attack. How will the system be taken offline and who will be responsible for repairing it? Note that if an additional loss is incurred from the system to due a failure to repair it after the initial loss, a second claim could be entered with penalties attached, such as a new deductible or a higher coinsurance percentage.
Prepare a list of all reporting authorities. Both your insurance provider and local and federal law enforcement require reports for certain types of attacks. Know how and when to contact the FBI, SEC, local law enforcement, etc.
Remember, know that the onus of proof is on you to establish that a loss should be covered. Competent staff or contractors must be available to create adequate and timely reports in the event of a loss. You should be able to name the employees or vendors who would create the type of report. Do not go looking for them after the fact!
6. Examine the Coming Year
Are you looking at making any mergers or acquisitions in the coming year? Include your IT department in the process as early as possible so they can begin assessing risk. The cost of reputational or financial harm from a potential cyber incident during the M&A process should be factored into any deal.
Be prepared to provide your insurer with written notice of the new business relationship or asset in a timely manner. Your policy should outline how many days from the date of acquisition that you have.
On the flip side, if your business is liquidated or goes into receivership, you may lose your coverage. If either of these scenarios is possible, contact your policy provider in advance of the event. The same goes for consolidation or merger with another business entity. Written notice and acknowledgement is typically required and additional premium may be due.
New Year, New Threats
Be ready for all that the new year holds. Hopefully, your business will be untouched by breaches of every kind. But an ounce of prevention is worth a pound of cure. Reviewing your policy and surrounding security practices is the prevention you need today.