Nasdaq Direct Listings Banner
Reference Library - Advanced Search


** To make multiple selections, select the first criterion and then press and hold the Ctrl Key **
1- 1 of 1 Search Results for:
Filters:   2016, 2015, 2014, 2013, 2012, 2011, 2010, 2009, 2008, 2007, 2006, 2005, 2004, 2003, 2002; Disclosure, Diversity, Hearings and Appeals, Issues and Trends, Listing Center, Outside Insight, Proxy Season, Public Policy, Q&A, Regulation, Shareholder Engagement, Survey;
Search   Clear

Expand All
Printer Friendly View
Mailto Link 
Page: 1 of 1
Frequently Asked Questions
  Cyber Insurance: How to Find the Right Policy
Identification Number 1240
Cyber Insurance: How to Find the Right Policy
Publication Date: August 2, 2016 

In this third in a series of articles, cybersecurity expert John Reed Stark offers tips for navigating the complex cyber insurance marketplace.

A near certainty for public and private corporations is that, at some point, they will be subject to a cyber-attack. And what is indisputable is that cyber-attacks are almost always extraordinarily complicated and will require a host of costly responses. So it seems that for today’s risk-averse companies, the best way to gain insight into the question of cyber insurance is not only by understanding the growing and complicated hazard of cyber-attacks, but also by obtaining a stand-alone cyber insurance policy that contemplates carefully the workflow that typically occurs during their aftermath.

How to Find the Right Policy. Traditionally, purchasing insurance coverage begins with a policy review, a risk breakdown and a range of other risk-related analytics. However, when contemplating a cyber insurance policy, companies should initiate more of a “reverse-gap” approach toward that calculus, analyzing and scrutinizing the typical cyber-incident response workflow that follows most cyber-attacks.

By analyzing and revisiting the realities and economics of this workflow, a company can then collaborate with its insurance sales representatives and originators to allocate risk responsibly and determine, before any cyber-attack occurs, which workflow costs will trigger coverage; which workflow costs will be outside of coverage; and which workflow costs might be uninsurable.

It also is crucial that companies conduct the necessary due diligence to be sure that their cyber insurance carrier has a good claims-paying and claims-handling history and has a proven record of rapid and supportive response. When a cyber-attack occurs, too often there are doubts as to coverage, which can affect incident response.

Cyber insurance policies also can differ dramatically in their goals and objectives. For example, some policies are designed to cover HIPAA and PCI violations, as well as other regulatory noncompliance, while other policies are geared more for direct financial losses due to wire transfer fraud. For instance, if a company manages trust accounts on behalf of customers, the company likely will require insurance coverage for direct cash losses in the event of a network intrusion that results in the unlawful transfer of funds.

Cyber insurance policy premiums are “not one size fits all”, as premiums are factored on a company’s industry, services, data risks and exposures, computer and network security, privacy policies and procedures and annual gross revenue. At present, there are 70 or so insurance carriers writing cyber insurance policies, and nearly all of those policies are issued on a surplus lines basis with potentially significant differences in policy wording from one cyber policy to the next.

Watch Out for Exclusions. Just like traditional insurance policies, cyber insurance policies can contain a broad range of potentially troubling exclusions. Agreement on the wording and scope is a critical aspect of the negotiation process. Given the dearth of case law on cyber insurance exclusions, policyholders unfortunately lack the benefit of precedent when assessing the boundaries of coverage. Some examples of cyber insurance battleground issues concerning exclusions for significant expenses are:

  1. Failure to Follow Minimum Required Practices. The first question after any data breach, posed by many interested constituencies (including customers, partners, employees, regulators and class action attorneys), is whether the cyber-attack occurred because of some sort of cybersecurity failure. However, despite the popularity of the Framework for Improving Critical Infrastructure Cybersecurity , released by the National Institute of Standards and Technology (NIST), no codified or judicially concocted cybersecurity standard exists. Hence, the adequacy of a company’s cybersecurity defenses is always a subjective determination and often involves “looking back” to cybersecurity technology used by a company at the time of the actual breach and assessing its adequacy. This sort of second-guessing and 20-20 hindsight can provide useful fodder for insurance companies seeking to avoid paying a claim. Along these lines, when a policyholder fails to “continuously implement” the security procedures and risk controls that it identified in its insurance application, an insurance company may argue the triggering of a “reps and warranties” exclusion.
  2. Act of War/Terrorism. Many cyber insurance policies contain exclusions for terrorism, “hostilities (whether war is declared or not)” and claims arising from “acts of foreign enemies.” In a car insurance or homeowner policy, an exclusion for acts of terror or foreign enemies may not seem important – or even relevant to any decision. But for cyber risk policies, these exclusions could pose a real problem. After discovery of a cyber-attack, digital forensic specialists and malware reverse engineers often will be asked to theorize as to the identity of a particular perpetrator of a cyber-attack, or even to construct a profile of the intruder. Sometimes, among the fragments, remnants and artifacts found in a laptop or server (including within deleted recoverable filesunallocated and slack space or the boot sector), evidence may point to a particular attacker or “cyber-gang,” and a data security incident may be deemed an act of state-sponsored terrorism. But these conclusions can be speculative and are only as good as the reputation and experience of the incident response team. Nonetheless, if, for example, a digital forensic specialist labels an APT attack as an act of terror, such labeling could trigger an “act of terror” exclusion. This question may be especially germane if the policyholder is in a key infrastructure industry, defense industry or technology sector.
  3. Third-Party Acts or Omissions. The third-party vendor sector has become one of the more prevalent attack vectors in recent cyber-attacks, yet some cyber policies might not cover acts and omissions by third parties or data in the custody of third parties. Nowadays, cyber-attacks also often result in disputes as to the culpability for an attack, with vendors and companies each pointing the finger at one another for their perceived respective cybersecurity failures. When a dispute arises between a company and its vendor with respect to culpability for a cyber-attack, an insurance company may wait until the dispute is resolved, because the outcome could trigger a “third-party act or omission” exclusion.
  4. Unauthorized Collection of Customer Data. Some cyber insurance policies contain exclusions for losses related to data collections, which were not authorized. Policyholders that gather information for consumer transactions, marketing purposes or as part of their core business model must gauge how an insurance company might use an exclusion for unauthorized collection to evade insurance coverage for a data security breach claim, especially if the policyholder is not meticulous about what data it collects; where data is warehoused; and how data is transferred.
  5. Retroactive Dates. Many polices include some sort of “retroactive date", which disclaims coverage for claims or loss in connection with breaches that occur prior to that date. However, when a company discovers a breach or is notified about a breach (e.g. by the U.S. Air Force or FBI, which is very often the case), the company often then discovers that the breach originally occurred long before (months, sometimes even years) If the retroactive date is relatively recent in time (perhaps even the date of policy inception), there is a risk of losing coverage for earlier-occurring breaches. Policy holders should carefully evaluate retroactive coverage options pertaining to undiscovered breaches occurring earlier in time.

Documentation.   Given that cyber insurance is only in its infancy, claims against such policies will have a higher rate of litigation than other more established insurance products. Thus, when a cyber-attack victim company has its first conference call with its insurance company adjuster, the adjuster might also add the insurance company’s litigator to the meeting. The litigator undoubtedly will follow up the call by sending a detailed letter of inquiry to the victim company, which will be more akin to a lengthy and comprehensive litigation discovery demand, rather than a simple request for information.

Whatever the type of cyber insurance held by a victim company, insurance adjusters will scrutinize all invoices pertaining to the data breach response workflow, requiring briefings and documentation regarding all investigative efforts. Along these lines, communication lines also should be established where a professional on the incident response team, preferably counsel, maintains carefully written documentation of all the response efforts. This helps later on when gathering the “documentation package” to present when seeking insurance reimbursement for the costs of the breach.

Digital Forensic “Panels”.   When negotiating for cyber insurance, some insurance policies will seek provisions mandating use of a specific “panel of digital forensic experts” (even if the victim company already has a prior existing relationship with a particular digital forensic firm). Companies should check carefully on the existence of that kind of provision; much like choosing one’s own surgeon for a heart procedure, a company will want freedom of choice when it comes to selecting a digital forensics/data breach response firm.

Final Thoughts.   To get the most out of cyber coverage, companies should work closely with their brokers, their insurers, their outside counsel and their own internal experts and executives to fully understand their particular cyber risks. For now, the most effective cyber insurance policies are bespoke, and given the rapidly evolving nature of cyber-attacks, will continue to require custom-tailored fitting for quite some time.

Just like other kinds of insurance, cyber coverage by itself will rarely be enough to make a company whole after a cyber-attack, but it can provide critical financial resources. Moreover, when coupled with a thoughtful and diligent incident response, a sound cyber insurance policy can send a powerful message of strong business acumen; fierce customer dedication; and steadfast corporate governance, demonstrating profound expertise to the marketplace, shareholders, regulators and the many other interested corporate stakeholders.

Read the first article in this series: Cyber Defense in the Boardroom: Leveraging the Financial Oversight Paradigm >>

Read the second article in this series: Cyber Insurance: Why Your Company Needs It >>

John Reed Stark is President of John Reed Stark Consulting LLC, a data breach response and digital compliance firm.  Formerly, Mr. Stark served for almost 20 years in the Enforcement Division of the U.S. Securities and Exchange Commission, the last 11 of which as Chief of its Office of Internet Enforcement.  He also worked for 15 years as an Adjunct Professor of Law at the Georgetown University Law Center, where he taught several courses on the juxtaposition of law, technology and crime, and for five years as managing director of a global data breach response firm, including three years heading its Washington, D.C. office.  Mr. Stark is the author of, "The Cybersecurity Due Diligence Handbook," available as an eBook on Amazon, iBooks and other booksellers.

The Cybersecurity Due Diligence Handbook

Publication Date*: 8/2/2016 Mailto Link Identification Number: 1240
material_search_footer*The Publication Date reflects the date of first inclusion in the Reference Library, which was launched on July 31, 2012, or a subsequent update to the material. Material may have been previously available on a different Nasdaq web site.
Page: 1 of 1
App Store       Google Play       Listing Center Content RSS Feed
The Nasdaq Stock Market, Nasdaq, The Nasdaq Global Select Market, The Nasdaq Global Market, The Nasdaq Capital Market, ExACT and Exchange Analysis and Compliance Tracking system are trademarks of Nasdaq, Inc.
FINRA® and Financial Industry Regulatory Authority, Inc.® are registered trademarks of Financial Industry Regulatory Authority, Inc. OTCBBTM and OTC Bulletin BoardTM are trademarks of FINRA