July 12, 2018

Cyber Liability Insurance: Getting or Keeping Your Policy Just Got Tougher

Get Covered, Stay Covered, Get Paid

Cyber attacks are something we simply must deal with in this day and age and during the course of our business practices—they happen.  And those without cyber liability insurance will find themselves “up the creek” if they did not already have a policy in place prior to an attack.  Just as you cannot obtain flood coverage after an evacuation order has been issued, your organization cannot seek coverage for a cyber attack once one occurs.  Organizations with a policy in place must also stay current on what measures must be taken throughout the year to mitigate the risk of a denied claim.  This article outlines what your organization needs to know when dealing with cyber liability insurance.

Some Statistics to Consider

While businesses are constantly finding new and innovative ways to use the latest technology and data, hackers are keeping pace.  In a recent report from the Identity Theft Center, there were a total of 1,579 data breaches reported and 178,955,069 records exposed in 2017.  Of those, 23.7% of the breaches and 2.8% of the exposed records were in the medical/healthcare field—translating to more than 370 breaches and 3.2 million records.  The average organizational cost to a business after a data breach for the same year was $7.35 million.  Those total breach costs include: lost business resulting from diminished trust or customer confidence; costs related to detection, escalation, and breach notifications; and ex-post response activites.  As businesses increasingly rely on technology, cyber liability insurance has become ever more important to obtain and maintain.

Renewal Terms Are Getting Tougher Every Year

Insurance companies today are aware of the risk of offering cyber liability insurance.  Because of the difficult-to-predict risks and the magnitude of potential damages, more insurers are clamping down on what cyber security controls an organization must have in place and with what acts/standards they must comply when renewing a policy.  Insurers are increasingly selective upon issuing and renewing policies based on an organization’s level of protection against a cyber attack.  A risk analysis for these expected controls is a starting point for determining if your organization is ready for renewal and would be covered under your insurance terms in case of a breach or cyber attack.

Expected Controls, Guidelines, and Requirements

While you’ve likely heard of HIPAA, especially if you’re in the healthcare industry, there are various other requirements—some industry-based—that should be addressed for obtaining/renewing a cyber liability policy.  The list is extensive and grows every year, but some questions you may be asked include:

  1. Is employee training conducted regarding security issues and procedures?
  2. Is computer access terminated when an employee leaves the company?
  3. Are procedures in place regarding the creation and periodic updating of passwords?
  4. Are background checks conducted on prospective employees?
  5. Are service providers required to demonstrate adequate security policies and procedures?
  6. Do contracts with service providers include hold harmless and indemnification agreements?
  7. Does the applicant currently use a cloud service provider in the course of business operations?

Additionally, do you know if your organization has achieved compliance with:

  1. HIPAA (Health Insurance Portability and Accountability Act)
  2. ISO 27001 IT Security Standards
  3. PCIDSS (Payment Card Industry Data Security Standard)
  4. GLBA (Gramm-Leach-Bliley Act)

As of 2017, AIG, Inc., now goes as far as to check if an organization has implemented, and adheres to, the Center for Internet Security’s (CIS) Top 20 Critical Controls.  Many of the companies offering cyber liability insurance expect not only that these items be addressed, but that policies and procedures surrounding them are fully reviewed as well.

Obtaining Cyber Liability Insurance

If your organization does not already have cyber liability insurance coverage, the process is not as easy as securing auto, home, or natural disaster insurance, where one can obtain a quote in minutes.  The application process is extensive and likely would require you show proof of your current cyber security management.  A number of requirements and controls must be implemented, and compliance guidelines adhered to, in order to 1) acquire coverage and 2) obtain a reasonable premium for said coverage.

Maintaining a Cyber Liability Policy

After your organization has begun effectively managing its risk by becoming compliant with standards and regulations and implementing all the recommended controls referenced previously, you can then apply for, and obtain, a cyber liability insurance policy.  Now your organization is fully covered in case of a cyber attack or breach, right?  Not necessarily.

Take the case of a health system whose insurance company filed suit against the organization for more than $4 million—an amount the insurer paid on a claim that the health system submitted under its cyber liability policy.  The insurance company stated that the health system did not follow the minimum required practices, thereby disqualifying coverage.  As a stipulation of coverage, the health system was required to continuously implement the procedures and risk controls identified in the Insured’s application for insurance.  The court agreed and awarded the insurer the $4 million settlement fund. These claim denials are happening more frequently due to a failure to 1) accurately represent the state of an organization’s cybersecurity when obtaining a policy and 2) maintain compliance with standards and agreed-upon controls once “covered.”  No one wants to suffer a “one-two punch”—falling victim to a cyber attack and the monetary damages that come with it, and being denied a claim for failure to adhere to policy terms.

Are You Ready?

The point is, to get covered or stay covered, an organization must manage its cyber security risk before an outside agency is willing to offer/renew liability insurance.  After all, an auto insurer would not offer a low rate, if any auto policy at all, to a habitual traffic offender.

Policy terms are important, and one must adhere to them.  Be sure your organization is meeting, and is capable of maintaining, those terms before choosing or renewing a policy.  In the unfortunate event of a breach or attack, there should be no reason for a denied claim if due diligence and compliance monitoring have been performed all along.

PYA’s IT Advisory team, under the direction of a former hospital CIO, works to diagnose IT risks to mitigate regulatory, financial, and reputational dangers.  If you have questions about obtaining cyber liability insurance and what it takes to maintain compliance with policy coverage, contact a PYA executive below at (800) 270-9629.



About the Authors