Despite the inexorable rise in small-cap data breaches, 80 percent to 90 percent of companies with revenues below $1 billion have no cyber insurance, according to the insurance data firm Advisen. Since many smaller companies lack the balance sheet strength to absorb the costs associated with cyber breaches, cyber insurance penetration in this segment will likely grow dramatically in years to come. Here are some issues that small-cap boards should keep in mind as their companies consider purchasing cyber insurance.
Other insurance. The first inclination of many boards is to assume that other existing insurance policies such as director and officer (D&O) or commercial general liability (CGL) will cover typical first-party claims (i.e., direct costs incurred by a company due to a data breach like forensic investigation, data loss, business interruption, data remediation, public relations, notifications, etc.) and third-party claims (i.e., liability arising out of the failure to maintain/store private information, etc.). Counsel’s advice should be sought long before a breach is discovered, inasmuch as D&O and CGL policies are often not designed to cover these (or other) first- and third-party claims arising out of cyber breaches.
Experienced counsel. It’s surprising how often corporate policies are purchased without experienced legal advice—especially in smaller companies. Given the complexities associated with cyber breaches and the relative novelty of cybersecurity and cyber insurance, companies should seek the advice of counsel that have relevant, material, and recent experience with cyber insurance.
Garbage in, garbage out. Cyber insurance is a quickly evolving industry. Unlike many other areas of commercial insurance, there is a comparative paucity of cyber breach actuarial data.
Consequently, many major carriers are conflicted: they would like to participate in a potentially lucrative segment, but they are cautious about underwriting risk that’s still not well understood. What does this mean for boards?
When an insurance broker sends a simple three-page application via email for cyber insurance that barely addresses the quality and extent of your company’s computer network architecture, physical and data security protocols, and corporate risk culture, it shouldn’t be terribly surprising that the cyber insurance coverage that ensues might be inadequate. Companies should pursue policies that are only underwritten after extensive, informed security assessments.
Start with exclusions. Savvy insurance veterans analyze policies principally with respect to what’s excluded as opposed to what’s covered. Many cyber insurance policies, for example, exclude “acts of war,” “terrorism,” and “state-sponsored acts.” In other words, there are ample opportunities for some insurers to deny precisely the type of coverage that companies most desire. Focus on and fully understand what is excluded.
Administration is integral. As with other insurance products, what happens when there is a cyber-breach claim is a principal differentiator between carriers. An otherwise great cyber insurance policy can be rendered almost moot by onerous or confusing claims procedures. Try to discern whether a prospective carrier is an active risk mitigation partner to its insureds, or if it is more in the business of selling policies and moving on. Check references.
Purchasing cyber insurance can be a material part of any small cap company’s risk mitigation efforts, but no matter how efficacious the policy or prominent the insurer, boards need to be mindful that nothing can replace comprehensive information technology and physical security controls, training, and post-breach resiliency planning. Ultimately, what’s at stake with cyber breaches is your company’s brand, and no amount of insurance can repair that.