As the cyber insurance market embraces frequent technological changes and is evolving based on past claims experience, companies need to understand what they must do to ensure that they are considered by underwriters as a good risk.
The cyber insurance market is starting to mature and as it reaches a position of risk and rate adequacy, companies need to consider the steps that they can take to demonstrate that they truly understand their cyber exposures. A comprehensive submission may be the difference between obtaining coverage or not and the disclosures an insured makes can reduce friction in the midst of a claim. In order to adjust a claim the insurer will require information and some of this can be provided before there is any crisis to manage.
Ultimately, the responsibility for providing information to underwriters to allow for the detailed review of risk sits with the insured. However, given that it is only in the past few years that insurers have had complete claims data (where a single event has triggered multiple insuring clauses) with which to consider rate adequacy, providing a comprehensive submission should assist both the insured and insurer in deriving a premium that is a fair assessment of the underlying risk.
When a company fully understands their IT infrastructure, it puts them in a position to know what their operational and financial exposures are and, in turn, it will provide a significant amount of help when preparing to handle a cyber-crisis. As a starting point, an understanding of the IT infrastructure and the core operational applications needs to be set out, as well as how this changes from site to site.
In addition, detail of how these sites are connected and can be segregated is also important. Furthermore, controls regarding external access to the network would need to be documented. The threat landscape faced by the company needs to be understood, as well as the mechanisms used to monitor and detect threats and, worst case scenario, network intrusions.
There are considerations and thoughts that need to be taken into account around how a business responds to an incident, for example, there may be opportunities for some sites to be disconnected from the network to stop the spread of infection; restoration costs and the length of time to recover in this case would be less. In addition, setting out how servers and PC’s are to be restored with, for example a golden image and the timeline thereon is fundamental in not only understanding the restoration costs, but also the potential business interruption exposure. Sharing the detailed incident response and/or business continuity plan should be just as important as information surrounding network infrastructure and the threat landscape.
Cyber insurance policies are typically written on a duty to defend basis where the insurer, not the insured, selects the vendors to respond to a cyber-incident. It is critical to ensure that these vendors are set out in the Incident Response Plan or Business Continuity Plan. This way, it is clear which vendors are to be engaged in each potential incident scenario to ensure that hourly rates and therefore total cost is understood from the outset. Again, insurers can use this information to understand the overall level of cyber maturity, as well as their potential cost exposure in the event of an incident.
It is vital that this type of information is shared with underwriters given that it is critical in understanding the overall risk and risk management, as well as the potential quantum in the event of an incident. A “yes” or “no” risk questionnaire will not illicit the right information to the requisite level of detail; providing a limited amount of information at the underwriting stage could cause an issue when a claim arises as coverage could be denied or delayed, while trying to figure out what was, and was not, declared.
If a cyber-incident occurs, it is then that the realisation of the damage and monetary loss becomes apparent. When a cyber-incident occurs the company will be doing all that it can to manage at a certain level post incident that satisfies regulatory requirements as well as short term customer requirements while it works to return to a normal operational level. By identifying the types of damages that may be incurred in the event of a cyber-incident prior to the event occurring, steps can be taken to ensure that the cyber policy will respond appropriately to these losses
If the insured truly understands what their cyber risk exposures are, it helps define the priorities for the cyber policy. “Good” cyber coverage should be of great importance for all companies given the amount of business transactions and regulated data taking place across IT networks, but in order to get such cover, firms need to be willing to put in the time and financial investment to familiarise themselves with these exposures, and to make sure they disclose these to the relevant parties.
It is important to remember that a cyber policy purchase process is not solely an IT department task, it affects all departments, all of whom need to participate and contribute to the review of cyber risk and cyber risk management.
To find out more, click here to watch the webinar in full.
This article was co-authored by Ben Hobby, Partner, Baker Tilly, Bernard Regan, Head of Forensic Technology, Baker Tilly, and Lyndsey Bauer, Partner, Paragon Brokers.