Cyber Security Insurance: Nine Questions to Ask to Determine Your Exposure

By Kathryn T. Allen

There is an increased interest in cyber security insurance for businesses amid frequent news of computer hacking, network intrusions, data theft, and high-profile ransomware attacks. Since cyber security insurance is relatively new to the market, many companies lack a basic understanding of what their policy covers and what it may not.

Questions to ask your insurer:

1. Does my policy cover my vendor’s errors in addition to mine? Vendor management is becoming increasingly important for businesses, especially those that deal with sensitive information (i.e. financial services or health care). It is important to identify whether your cyber policy covers your loss of data when it is in someone else’s possession. For example, a policy may reference coverage for “your computer system” but the definition of “your computer system” might exclude (or not reference specifically) the cloud or networks run by third-parties. 

2. Does my policy cover “inside the house” risks? Employees are the single greatest threat to a business’ cyber security. Many cyber policies only cover the malicious theft or destruction of data from an outside source, but studies have found that many times it is employees who are unintentionally and unwittingly contributing to data loss and breach. 

3. Does my policy cover cloud-related risks? Certain insurers have used “sub-limits” or lower limits of coverage that cap the amount available for claims specific to cloud-based risks for cloud users. Also note that some policies will have an exclusion for liability assumed through contract by the cloud provider. This means that your cloud provider may have far less liability coverage for your data than you assumed. 

4. Does my policy apply retroactively? It takes an average of 256 days for most businesses to identify a malicious attack. If the attack occurred prior to you obtaining the policy, you may run the risk of your insurance not covering it. Some insurers will offer retroactive coverage for an additional premium.

5. Is my policy limited geographically? Some policies limit coverage to the United States or put restrictions on how far from your place of business events or incidents must take place in order to be covered. If you are using cloud-based services, those servers could be located outside of the U.S. or could be thousands of miles from your business’ headquarters. 

6. Does my policy cover physical breach? Claims relating to a cyber attack on your systems are covered, but what about physical breaches? Phone systems, security cameras and other systems that are controllable through the internet are all exploitable. It is important to have a clear understanding of which insurance product covers the physical aspect of a breach.

7. Who is my contact in the event of breach? A set claims process following a cyber-security incident is something an increasing number of insurers are implementing. It is important to understand your insurer’s policy and know who your point of contact will be in the event of a breach. 

8. Can I get a reduction in premiums if I implement certain policies/procedures? Many insurers will offer you lower premiums or renegotiate your existing premiums if you can demonstrate you have taken concrete steps to manage your information security risks. 

9. Does my policy cover PCI-DSS Assessments? One of the more common, and expensive, cyber liability risks is card payment processing information. The Payment Card Industry Data Security Standard (PCI-DSS) is a proprietary information security standard for organizations that handle branded credit cards from the major card schemes including Visa, MasterCard, American Express, and Discover. From these standards, the credit card industry sets assessments for data breaches involving credit card information, and fines and penalties for violation of the PCI-DSS. Coverage for such liabilities often requires a specific policy or coverage type. 

If you have questions about your exposure for cyber breach-related incidents or would like more information on how it could impact your business, please contact the author or your Polsinelli attorney.