Four Ways to Protect Your Cyber Insurance in Today’s Challenging Market
The Situation: The cyber insurance market is experiencing a major retrenchment, with insurers seeking to limit their exposure in a variety of ways.
The Result: The current market is defined by higher premiums, reduced limits, more restrictive coverage, and more frequent claim denials.
Looking Ahead: Until market conditions improve, corporate policyholders should develop strategies to maintain the value of their cyber coverage.
The cyber insurance market is experiencing the most significant retrenchment in its 25-year history. Insurers are moving to limit their risk by restricting coverage, adding exclusions, and reducing policy limits. Insurers have also adopted more aggressive claims-handling practices, which frequently result in total or partial claim denials. Frustrated corporate policyholders have started to ask whether cyber insurance is worth the cost.
The financial protections offered by cyber policies have clearly eroded in the past three years. But for most companies, operating without cyber insurance is not a realistic option due to contractual insurance requirements or the needs of corporate directors. The key question, then, is how can companies get the most value out of their cyber policies in today's challenging market? We offer four useful suggestions below:
1. Invest in the purchase process.
The most important step a company can take to strengthen its cyber coverage is to bring experience and strategic focus to the purchase process. Companies should conduct a candid assessment of their most important cyber vulnerabilities based on operations and infrastructure. The cyber policy application can inform this exercise because the questions may provide insight into the vulnerabilties and exposures of particular concern to insurers. Next, companies should consider having an experienced insurance professional review their existing policies to look for coverage gaps or deficiencies and to identify critical enhancements. There are generally no standard forms for cyber insurance, which means underwriters often have leeway to modify policy language in order to attract or retain customers. Investments in the purchase process can yield dividends for policyholders when a cyberattack occurs.
2. Stay abreast of new developments.
Another distinguishing feature of cyber insurance is that policies rapidly evolve. The major insurers change their policy forms every few years and are constantly issuing new endorsements to cover (or in some cases, to exclude) newly emerging risks. In the last five years, for example, we have seen insurers offer new coverages for supply chain risk, "bricked" hardware, and violations of the EU's General Data Protection Regulation, or GDPR. Policyholders should stay informed regarding the available evolving coverages in order to procure an optimal policy tailored to their needs.
3. Prioritize the insurance claim.
When the cyberattack occurs, it is important to focus on insurance coverage as a core component of the incident response. Too often, companies will back-burner the insurance claim as they address the immediate forensic and legal challenges posed by the breach. However, a failure to prioritize insurance issues can have serious negative ramifications, including late notice issues, failure to obtain insurer consents, non-compliance with policy terms, or other missteps that can reduce the ultimate insurance recovery. A victim of a cyberattack should be careful not to squander its insurance assets—the goal is to obtain every dollar of value purchased in the policy. To accomplish this, companies should consider obtaining a detailed assessment of their coverage within 72 hours after discovery of an incident. This assessment should outline the available coverage and the specific steps that should be taken to achieve a recovery.
4. Know your policy rights.
Many corporate counsel and risk managers have limited experience with cyber insurance claims. In contrast, insurer claim representatives typically have extensive experience with cyber claims and often receive behind-the-scenes advice from the insurer's coverage counsel. The insurer claim representatives will sometimes seek to use their superior knowledge to dictate terms of coverage or incident response in ways favorable to the insurer. All too often, insurers will demand information, reject costs, or insist on appointing counsel when they have no such rights under the policy. Policyholders that pursue cyber insurance claims should recognize that their interests are not aligned with their insurer—and should consider leveling the playing field by retaining experienced coverage counsel to protect their policy rights.
Despite their current shortcomings, cyber policies remain the most effective way to mitigate the potentially crippling losses that can result from a major cyberattack. Therefore, they will continue to play a central role in corporate risk management programs. But until the market retrenchment ends, corporate policyholders should consider the strategies outlined above to help preserve the value of their cyber insurance.
Two Key Takeaways
- Despite market challenges, cyber insurance remains the most effective vehicle to protect against the financial consequences of a major breach incident.
- Policyholders should respond to current market conditions by devoting appropriate resources to policy procurement and prioritizing the insurance claim in the event of a breach incident.
Jones Day publications should not be construed as legal advice on any specific facts or circumstances. The contents are intended for general information purposes only and may not be quoted or referred to in any other publication or proceeding without the prior written consent of the Firm, to be given or withheld at our discretion. To request reprint permission for any of our publications, please use our “Contact Us” form, which can be found on our website at www.jonesday.com. The mailing of this publication is not intended to create, and receipt of it does not constitute, an attorney-client relationship. The views set forth herein are the personal views of the authors and do not necessarily reflect those of the Firm.