With increasing awareness of cyber security risk issues there is now a vast array of information available which provides organisations with advice on how best to combat cyber security breach events. See for instance the recent paper from ASIC - Cyber resilience: health check. There is little information however on cyber insurance products and whether they should form part of an organisation's cyber risk mitigation strategy.
So with more and more organisations taking up cyber insurance as part of a broader cyber security strategy, there are some key issues to bear in mind.
In no particular order, make sure you ask your insurer the following:
- What are the minimum security requirements expected under this policy?
Often policies will impose minimum security requirements before offering any sort of coverage. You can expect to be qualified by the insurer who will want to confirm "adequate" security controls are in place to begin with. If they're not up to scratch your application will likely be refused.
Insurers and brokers are often a good source of information and best practice. Ask your broker if they can refer experts who can assist with putting in place adequate security protocols, cyber compliance programs or undertake testing to assist an organisation to get up to speed.
- Are there any additional measures you can put in place to reduce your premium?
It may be worth considering putting advanced security measures in place to give your insurer additional comfort and more importantly reduce your premium. Your broker or insurer can advise on some "quick wins". Ultimately however, you will need to weigh up the reduced premium against the cost and additional time and resources involved in implementing such measures.
- What ongoing audit and compliance obligations are required?
Most policies will require some form of regular audit as well as ongoing compliance reporting for the policy to remain current. Some insurers reserve the right to audit systems and security protocols that are in place. It is important that you and your team fully understand and can plan for these activities, as failure to meet the expected requirements may mean your policy will not respond when it needs to.
- How do response and management protocols affect insurance obligations?
Ensure you have clear response and management protocols, and that they are well understood by all relevant stakeholders. In the event of a security breach incident it is important you understand how this ties in with any existing insurance obligations. Even with all your policies and procedures in place, if they are not properly followed in the event of a claim this may be the difference between the policy responding or not.
- What is the minimum downtime before the policy will respond?
Beware policies which only respond after a minimum downtime period. Cyber security breach events once triggered happen extremely quickly. If you have to wait 12 or 24 hours before calling on the policy to assist – it may be too late. Whilst you may have to pay extra for a reduced period it might be worth it in the end.
- How does the policy fit with our existing insurance coverage?
Beware any overlaps, but more importantly "gaps" between policies which will leave the organisation exposed.
- How will the policy and its scope evolve over time?
Technology is evolving so fast and hackers are generally at the forefront, picking up on new vulnerabilities and opportunities to ply their trade. You need to understand how the policy evolves over time to pick up and include additional risks as they become apparent. Is this something the insurer addresses once a year or is it ongoing?
You also need to understand if these updates will result in a change in coverage and consider any additional costs that might be associated with amending the scope as well as any new exclusions which come with such changes. Ask your insurer if there are likely to be any changes which may affect your organisation's risk profile.
- What is the impact of a breach on your premiums?
Understand the impact of a breach on premiums and any additional obligations which are likely to be imposed in the event a claim is made. Are there any benefits in not making a claim – will this reduce the premium at all?
- Does the insurer understand your industry and its regulators?
Ensure the insurer understands your industry and any unique regulatory requirements which may apply. If an organisation is in a regulated space, it will be having ongoing discussions with the main regulator(s) to make sure it is aware of any relevant standards or other best practice which the regulator expects to be covered off. Brokers and insurers that claim to have particular experience in an industry should be doing the same to ensure they factor in "nuances" which may affect the policy.
- What is the timeframe in which you must report a breach in order to use your policy?
Often breach events take months or in some cases years to discover. It may well be that by the time the breach is discovered, there is a reporting period exemption that affects you or the policy has expired. Some insurers will allow organisations to pay an "optional extended reporting period premium" to provide additional time in which they can notify of a claim arising during the period of the policy. This optional period is generally no more than 12 months however, so may not pick up on these "sleeper" events.
- What regions/territories are you covered in?
Insurers will typically not provide insurance cover for any action for damages brought in a court outside the policy's specified territories. It is therefore crucial to ensure any territory limitations which may apply to a policy are considered and additionally, how claims affecting business conducted outside of Australia, will be impacted.
Finally carefully consider the policy terms and conditions. This generally goes without saying but "the big print giveth and the small print taketh away".
What many organisations fail to realise is that there is room to negotiate on these issues - both the big and small print. Arm yourself with the right questions and do a little homework beforehand and you will be well placed to successfully navigate the cyber insurance conversation with your broker and insurer.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances. Madgwicks is a member of Meritas, one of the world's largest law firm alliances.