JLT Specialty, financial lines, regional assistant director, Menaka Muthu asks why it is pertinent to really understand your risk before buying a cyber policy
In today’s interconnected world, it seems that no organisation is immune from experiencing a cyber-attack. Due to its pervasive nature and substantial associated costs involved, organisations are putting in place (or at least starting to consider) Cyber insurance to transfer the financial risks to protect itself against the costs of managing a cyber incident.
Before you, as an organisation which is considering to purchase a cyber insurance policy, it is pertinent for you to:
(1) Understand and assess your risk
You need to evaluate the sensitivity of your company’s data and overall risk of experiencing a security breach incident and/or data breach. You need to consider the following factors:
- if you are subjected to any applicable regulation (such as the PDPA and/or GDPR)
- the type of data that you handle (does this include credit card information?)
- the use of portable devices and how it’s connected to an organisations network and systems
- the number of third-party contractors you use that have access to your customer’s sensitive data and your networks and systems
- your reliance on outsource service provider to carry out daily operations
By understanding your risks, it will be easier for your company to insure that risk and tailor a policy to match those requirements.
(2) Understand the coverage
The cyber insurance market in Asia lacks uniformity; therefore it is crucial for companies to understand coverages and exclusions. To ensure that your business has the right coverage, it is critical to assess your business and consider the specific risks you wish to insure. As the level of coverage your business needs can vary depending on the company’s exposure, it is important to work with a broker who can tailor your policy to match your business requirements.
Further, unlike other forms of insurance, cyber insurance is not a one-size-fits-all approach, hence a specialist broker can play a vital role to provide companies with the advice they need to purchase the most suitable coverage for themselves.
(3) Find a knowledgeable broker
As mentioned above, unlike other forms of insurance, cyber insurance is not a one-size-fits-all approach type of a policy. Hence, it is imperative that you get yourself a broker that understands policy language, industry differentiation, connectivity between the evolving threat landscape and the insurance marketplace.
Due to the ever-changing landscape of cyber risk, a good broker should be able to innovate, tailor and customise solutions for their clients’ needs based on their specific exposures. We at JLT are constantly challenging underwriters to think about coverage in a different way, either based on the explicit needs of our clients or based on our vast experience with policy language.
(4) Indemnity through vendors
It is important to understand how policies will cover the risks arising from the use of vendors or third-party service providers. Some of these contingent risks have huge exposures; just look at Target (a US-based company), which was breached through a heating ventilation and air conditioning (HVAC) provider.
Significant problems can arise if you don’t understand how a policy will respond to a cyber event that affects your organisation through indirect means. You cannot assume that such losses will be covered!
(5) Where and how does Cyber Insurance fit with other insurance policies
Look into the other insurances you carry, such as general liability insurance, property insurance, crime insurance and errors and omissions (E&O). It is important to understand how the cyber policy will fit with these polices. In some cases, there may be some overlap in coverage when it comes to third-party liability coverage. As such, policies need to be structured well to ensure clarity on which policy will respond when a claim occurs.
It is also important to note that traditional policies don’t overtly cover first-party breach notification costs and these gaps could leave an organisation responsible for the full cost of a data breach response.
Recently, the non-cyber markets have been including cyber exclusions within more traditional policies such as the property policy and construction policies. This makes it more important for you to review exclusions with your broker to understand their impact and determine how they can be complemented by cyber insurance.
(6) Understand how to integrate insurance claims process with internal processes
A cyber insurance policy should change the way an organisation internally manages security breach incidents. After purchasing a cyber policy, your company should understand how and when to involve your carrier if a security breach incident occurs. This could include:
- updating any documented procedures, like an incident response plan with new roles and responsibilities
- revising timelines
- updating current contact information
- updating list of vendors to include insurers panel vendors
With cyber incidents increasing in frequency, cyber insurance is becoming more important to businesses. However, this still remains or is deemed to be a complex process for organisations. Therefore, having a specialist broker to guide you will ensure that your company has a seamless process for transferring its risk.