Choose from any of our reports and we will be happy to send it/them to you via email at no cost.

Some Cyber Insurance Policies Not Ready for the Big League

GAPS REMAIN EVEN NOW

Cyber insurance has been in the market for quite a few years now.  When an insurance product has been around long enough it eventually becomes standardized.  Not so, yet, in the cyber market, so care is needed.

Even to this day gaps abound.  Some examples from policies proposed by brokers/insurers in mid-2019:

Cloud Applications Not Recognized

“Security Failure” is defined in the policy to include breaches of “the insured organization’s computer system,” with no definition of computer system. In response to request for broadening/defining the scope, broker argues computer system means it, and everything connected to it.  Our plan in negotiating insurance language is not to hope a friendly court agrees with the broadest possible interpretation.  Rather our goal is to provide clarity and certainty.  We demand language that is available in the market which defines computer system and/or network to be broad enough to encompass the client’s operations.  Here is one example:

Improve Coverage: https://licatarisk.com/improve-coverage/

Lack of Clear Coverage for Insider Fraud/Hack

Insider exploits may not be frequent, but they can be the most severe of all cyber losses.  Disgruntled employees, with an insider’s keys and access, have caused total destruction to their employers’ systems and data.

We certainly need secure coverage for these actions.  But, some policies are woefully deficient in how this is covered.  An example:

The language of this proposed policy provided insider coverage except for actions by “senior executives.”  We would prefer a very narrow definition of senior executive of course, but the definition in question was:

As you can see this definition goes on and on, including some of the positions we would be most concerned about like “chief information security officer.”  To totally ensure no claim would survive this same policy also specifically excluded claims related to “employment practices” excluding from coverage any claim “directly or indirectly arising from”:

Only key top management can be properly excluded and no employment practices exclusion should appear in a cyber policy.

No Coverage for Data Breach of Third Party Corporate Data

In one proposed policy we trouble- shot, there was coverage for personal data but not corporate data.

A data breach can result in liability for exposing another party’s confidential information.  These other parties can be employees or other persons, or they can be companies with whom you do business.

In the case in question, covered Data Breach is defined as breach that exposes “personally identifiable information” (PII) defined as follows:

What about that business data we were looking for?  Nowhere in sight.

What we need is for covered data to include both PII and business related data such as was defined as Third Party Information in the acceptable policy we did adopt:

Not ready for the big league!  Too many amateurs still prowling the hallways of the insurance industry.

(c ) Licata Risk & Insurance Advisors, Inc. 2019

Frank Licata

[email protected];   617.718.5901

Sep 13, 2019

Licata Risk Licata Risk & Insurance Advisors, Inc.
137 South Street, Second Floor
Boston, MA 02111-2848
617-451-2140     [email protected]
LicataRisk Advisors is an independent risk management and insurance consulting firm. We are not brokers and we do not sell insurance. We are not connected to any insurance company or product in any way and do not receive commissions. This is an important difference as you will have an expert on your side who is only committed to you.

Licata Risk is not a law firm and does not practice law. General advice and contract input by the consultants, including those who are attorneys, is to provide insight into the risk and insurance aspects. Your attorney should be the final authority on any legal matter.