Cyber coverage is a frequent topic of conversation among those involved in risk management. Here are my top five things for Northwest businesses to consider, from a coverage lawyer's perspective.
1. Accurately assess your risks. Cyber coverage is eliciting so much interest because of high-profile data breaches at major retailers and health insurers, and the ensuing class action lawsuits. However, it has so far been fairly difficult for those class actions to get off the ground, due to legal impediments. (Some of those impediments may be falling away, as I wrote about here). That means that even if a hack occurs, a class action may be unlikely, unless a lot of data was involved. Most businesses outside of the retail and healthcare sectors have relatively little high-value data and therefore have (relatively) low risk of a significant liability exposure. Does that mean that cyber insurance isn't for you? Hardly. As the saying goes, the question is no longer whether your company will experience a breach, but when - and how often after that. Cyber coverage's biggest benefit for the average business is first-party coverage: coverage for the cost of investigating a breach, notifying affected customers, lost business income, etc. It is unlikely that those costs will be covered by your other insurance.
2. Adjust sub-limits to match actual needs. Businesses often focus on the aggregate coverage levels for any kind of insurance. But most cyber policies contain sub-limits for specific kinds of coverage (particularly the highly-valuable first party coverage) and sometimes those sub-limits are far too low. Learn what the actual costs might be, and set sub-limits accordingly.
3. Read the fine print (or pay someone to help). Cyber coverage is not standardized. Because this is a relatively new coverage, each insurer is writing its own coverage forms -- but the differences are not always obvious. There is no "one-size-fits-all," even for businesses with the same number of customers, employees, and the same yearly revenue. Exclusionary language may mean that what works for your neighboring business will not work for you. The upside of policy language being different among carriers is that everything (should) be negotiable -- take advantage of that.
4. Pay attention to vendors and suppliers. Do your vendors and suppliers take data security as seriously as you do? Do they carry cyber coverage? What do your vendor contracts require your vendors to do about data security; are you taking steps to make sure they are doing it? This is not so much an issue about procuring your own cyber-coverage, but rather a risk management strategy that will help lower the chance that you'll need to make a claim. A number of businesses (e.g. Target) have experienced a data breach because of a security gaffe at a vendor. And as I wrote here, franchisees are now involved in many data breach claims targeting large franchisors, like Wyndham Resorts. And of course vendor-management may become an issue with procuring your insurance as well, if you make promises about your vendors' cyber-practices when you apply for insurance. That got a hospital in California in a bit of trouble recently, as I reported here.
5. Buy cyber insurance now even if you think your company is too small to need it. Why? Because the liability component of cyber insurance policies are written on a "claims made" basis, but only kick in if the cause of the loss (that is, the breach) happened either during the policy period or at least after the "retroactive date." The "retroactive date" is a date before the beginning of the policy period, and can be years before the policy began -- but never earlier than the first year that you bought that same kind of coverage. That can be a problem, because most cyber-breach incidents are not discovered until months and sometimes years after the initial intrusion by the hacker. If your "retroactive date" is six months ago when you brought your first cyber policy, you may be denied coverage if the hack occurred a year ago and is only now being discovered. So it's a good idea to buy cyber coverage now (even coverage with low limits, and even if you plan to switch carriers later) so that once your business grows you can set an early retroactive date and achieve better peace of mind. And that is, after all, what insurance is about.