Cyber Insurance Benefits and Limitations

Recently Rick Kam, CIPP, President and Co-Founder of ID Experts wrote, The Benefits and Limitations of Cyber Insurance in the Risk Management Monitor. I wanted to point out some specific issues that are created from the limits on choice in some cyber policies. First, it’s understood that some limits are to be expected as carriers seek to manage their own risks and profitability. However, limiting the way a breach is responded to and the services offered may create more risk exposure for everyone involved.

Cyber liability coverage is developing and changing rapidly. Historically it was developed to close gaps that network security insurance coverage left open. Network security insurance did not include coverage for the customer or patient notification when a breach occurred, legal services to develop the required breach communications nor funds for a legal defense. With those expenses in mind the original cyber policies were written to cover costs of forensics, legal fees and the costs to print and mail a notice letter as well as provide credit monitoring and/or restoration.

Now that cyber liability coverage has been in place for a while, claims are being processed and some of its limitations are now being exposed. When breaches occur the biggest concerns many of our clients share with us are:

1. Reputational issues resulting in loss of customers or patients
2. Government investigation (uncovering a lack of compliance)
3. Legal costs from either customer/patient lawsuits or corrective action plans

Many breaches, especially healthcare, create a variety of communication challenges due to the demographics of the population and the data compromised. As healthcare has become a large buyer of this type of coverage the policies from the “old days” are not always the best solution to the risk problem.

The demographic variable of the affected breach population added to any one of the above concerns creates the need for much more than just a compliant response. The “above and beyond” solution in the past was to provide credit monitoring which may still be part of an appropriate response in many situations, however credit concerns are not always the issue that breach victims want help with. The challenge is that many policies cover mailing letters and enrollment in credit monitoring, but this solution often does not reduce the risks commonly reported by our breached clients.

The point here is that breaches are like a tweet from a Hollywood star or a pro-athlete, you never know what you are going to get! So trying to develop a very prescriptive approach that is covered under an insurance policy can easily miss the mark for the best way to minimize the risks of a particular breach. When clients ask me what is best for them I recommend getting everyone internally to discuss how they would respond to a major breach if and when it does happen and then find a well-qualified broker to help source the coverage that would cover that type of response.