Cyber Risk Insurance (also called Data Breach, Privacy and Network Security insurance coverage) continues to evolve as the insurers try to keep up with rapidly changing technology and the growth of cyber crime. For a variety of reasons, including this evolution, Cyber Risk Insurance policies are not all the same.
KrebsonSecurity notes that an insured is suing its Cyber Risk insurer for failing to cover a cyber crime loss (see here). It appears that the policy in question is actually a Crime policy, not a Cyber Risk Insurance policy. But the situation is a good example of the challenges of obtaining proper Cyber Risk coverage. We are not surprised by the suit and expect more of these situations. Why:
Exposures are changing: Until recently, the primary cyber risk exposure was first party expenses relating to a breach of information. Cyber exposures are changing rapidly, particularly cyber crime exposures, as criminals continue to be resourceful and are focused on the money. So the types of cyber claims have changed and include a wide range of theft and fraud.
Policies are not all the same: As we have pointed out (see here), Cyber Risk Insurance policies are not all the same – some are broad and some are restrictive. Insureds and their insurance agents/brokers need to take the time to understand the coverage they are buying.
Underwriters are limiting the scope of coverage: In a fast changing technological environment (see our prior posts here & here), underwriters are reassessing exposures, underwriting guidelines, pricing and coverage. So some policies are not keeping up with changing exposures, and some underwriters have decided that they will not include coverage for certain types of exposures, particularly cyber crime.
Businesses do not have the same exposures: Exposures vary significantly by insured, so no one policy is best for all insureds. This means it is very important for the agent/broker, working with their wholesale specialty broker, to understand the varying exposures and coverage needs.
What happened? According to Krebs – see here – cyber criminals impersonated the firm’s CEO and convinced the firm’s CFO to wire $480,000 to a Chinese bank. In this case the insurer denied coverage because email piracy, or business email compromise (BEC), is not covered. For insurance experts, note that the policy referred to by Krebs appears to be a crime policy, not a Cyber Risk Insurance policy.
Consider another recent cyber claim: A firm issued a check to a client for a large amount, then received email instructions from two separate parties to stop payment and wire the money instead. After verballing confirming the instructions, which appeared to be legitimate, the money was wired - and is now gone. This claim has been reported to the Cyber Risk insurer and we anticipate that coverage will apply.
As noted in our prior posts here and here, email piracy, or business email compromise (BEC) is a significant and growing exposure for small and medium sized businesses. We have seen numerous other scenarios where the cyber criminal poses as a client, business partner, vendor or fellow employee. Also, they aren’t necessarily looking for big-ticket theft - they also try for small amounts which are often easier when targeting smaller organizations. We have previously posted some tips for preventing email piracy (see here), but proper insurance coverage is important.
It is possible to get coverage for this exposure for most businesses (but not all). However, we are concerned that the window for cyber crime coverage may be closing as claims increase and underwriters become increasingly skittish. Rates are increasing and availability of comprehensive coverage is decreasing, so businesses should consider buying the coverage sooner rather than later.
Cyber Risk Insurance is an essential coverage for businesses of all sizes; it should be mandatory. As noted above, policy forms vary and must be matched to the insured’s needs. Coverage for many types of companies can be tailored to cover the cost of breaches, forensics, business interruption, EMV Liability, PCI assessments and crisis management. And for cyber crime.
Tennant Risk Services is a specialty wholesale broker and underwriting manager, and delivers expertise, markets and exemplary services to our retail insurance agent clients in the placement of professional liability insurance (E&O, D&O, EPL, Cyber). We excel at hard to place accounts.