COVERAGE CORNER

Next Article

CLAIRE-IFICATION

SELL SELFISH CYBER

By Kevin C. Amrhein, CIC, CBIA

In talking with agents through the years about first-party cyber risks I’ve learned two things: 1) many have a general idea of what first-party cyber risks are, and 2) many have little or no idea how first-party cyber insurance works.

Many cyber insurance policies address both first- and third-party exposures. In this edition, I focus solely on insurance designed for the former. It is not my intention to understate the value of cyber insurance applicable to thirdparty exposures.

In this article, I reference the Commercial Cyber Insurance Policy (CY 00 01) as provided by our friends at ISO. As you may expect, many cyber risk insurers use proprietary forms. Such proprietary forms may vary significantly from the ISO form referenced in this article. The ISO form contains six Insuring Agreements, five of which are geared towards first-party exposures. For each of the five, I’ve included a brief summary/purpose and a potential concern. My goal with this article is to provide general information and give agents who have less confidence with this insurance a few points to discuss with insureds. Please do not consider this as a comprehensive review of cyber risk insurance coverage – it is not intended to be such.

INSURING AGREEMENT #1 – SECURITY BREACH EXPENSE.

Primary purpose: cover cost of diagnosing the breach and costs associated with notifying affected parties.

Something to watch out for: this Insuring Agreement does not cover costs or expenses associated with upgrading or repairing computers, software, or network components affected by the breach.

INSURING AGREEMENT #2 – EXTORTION THREATS.

Primary purpose: cover costs of hiring a service to determine the threat and handle payment of the threat and related expenses.

What to watch out for: the ISO form includes coverage for payment of ransom in virtual currency. Should such coverage be triggered via reimbursement to the insured, note that many insureds are unfamiliar with how to make a payment via virtual currency. When discussing this coverage, agents should consider referring the insured to insurer or cyber security firm resources to learn the steps necessary to complete a virtual currency transaction.

INSURING AGREEMENT #3 – REPLACEMENT OR RESTORATION OF ELECTRONIC DATA.

Primary purpose: cover costs to repair/restore electronic data damaged by a cyber incident.

What to watch out for: this Insuring Agreement does not cover costs associated with duplicating research that went into the creation of the electronic data. For example, say your insured sells wellness products online. The insured’s network is damaged by malicious code which corrupts data. The cost to hire an engineer to repair/restore data corrupted by the code is covered. However, the insured discovers that some valuable market data on prospects is lost. The insured decides to launch a sales promotion intending to re-collect market research and information used to create prospect profiles. The insured should not expect to receive money from the insurer for the time/resources needed or expenses incurred resulting from this market research under this Insuring Agreement.

INSURING AGREEMENT #4 – BUSINESS INCOME AND EXTRA EXPENSE.

Primary purpose: cover the insured’s lost income and extra expenses resulting from an interruption caused by a cyber incident.

What to watch out for: this Insuring Agreement does not cover costs associated with repairing or upgrading a damaged computer system as an extra expense. For example, say your insured’s network and website are damaged by malicious code and customers are unable to access their account information or pay for services. Damage to the insured’s computer system could take several days to assess, and the insured is starting to realize lost income as a result. To minimize the severity of further disruption as well as future incidents, the insured decides to upgrade components of its own computer system as well as lease enhanced server functions from a local technology company. Per the aforementioned limitation, costs associated with these measures are not covered as extra expenses.

INSURING AGREEMENT #5 – PUBLIC RELATIONS EXPENSE.

Primary purpose: cover costs of efforts intended to save face with the public in the wake of a cyber incident.

What to watch out for: if the expense is incurred for any reason other than to pay a public relations firm, the insured must first obtain written consent from the insurer. For example, say your insured is a chain of liquor stores. Due to a data breach, the names of frequent customers are posted publicly online. To regain the trust of the community and curb negative publicity, the insured decides to post ads online and sponsor fundraising events for local charities. The insured paid for these efforts directly and did not consult with the insurer. Since the insured did not hire a PR firm or consult with the insurer, costs associated with these efforts are not covered under this Insuring Agreement.

That’s all for now. Until the next round … cheers!

Kevin C Amrhein, CIC, is IA&B's education consultant. He works with our CISR and CIC programs, as well as our special topic seminars and live webinars. Catch him at one of our upcoming professional training offerings: IABforME.com