Why your policy is probably null and void
The facts are startling. The average cost of a data breach is $5.5 million. Sixty-five percent of public companies that participated in a recent Chubb survey do not carry cyber liability insurance, despite the fact that 63% of decision makers are concerned with cyber security risks. The remaining organizations that do purchase cyber liability policies can rest easy knowing that in a “worst case scenario” they are covered… right?
The scary part is…
Wrong. Though organizations today are moving in the right direction by purchasing cyber liability policies, the fact remains that these policies are being purchased by direction from the executive level, delegated to management, and, ultimately bound by checklists and attestations that are riddled with misstatements. Intentional or not, these misstatements equate to what is known in the industry as material misrepresentation, which can render your multimillion dollar policy worthless.
I’ve misrepresented my material?
Material misrepresentation is a misstatement to a question asked during the application process that is so important that, had the truth been known, the insurance company would not have issued the policy or would have issued it with a higher premium. If material misrepresentation is confirmed by the insurance company, it will usually void the policy and coverage retroactively to when the policy was signed. Material misrepresentation constitutes a breach of contract and the insurance carrier will have the right to declare the policy null and void.
Are we covered yet?
But material misrepresentation is only one part of the equation. It is also important to note that several companies surveyed did not have adequate coverage to
begin with. Appropriate vetting and binding of the policy is absolutely critical. For example, some insurance providers will cover what is referred to as “first party damages,” best defined as damages to the policy holder itself. These can, but do not always cover, costs associated with repairs to damaged systems, customer disclosure costs, as well as forensic investigation costs. Other providers will cover “third party damages,” which are damages suffered by customers, business partners, and business associates. These damages may cover the cost of legal settlements or credit monitoring services.
In several instances, SecureState has reviewed policies purchased to cover data for which the organization is the custodian, and ultimately belongs to a third party. On more than one occasion, it was discovered that the cyber liability policy that was bound to cover the organization covered only data and assets which belonged to that organization specifically. The Policy did not extend beyond the company’s walls and therefore was not protecting what they thought (and needed) it to cover. The policy cost several hundred thousand dollars a year and was, in essence, worthless.
The fine print
It remains critical for organizations to very specifically determine where they aremost at risk before purchasing a blanket cyber liability policy. Performing risk assessments on an annual basis would be an excellent first step towards this for most organizations, as very few do today. This can help an organization to understand where their greatest risks lie, and to tailor their insurance to appropriately transfer risks to a 3rd party as part of their overall Risk Management strategy. In addition, policies should be thoroughly vetted by multiple stakeholders within the organization while being equally and concurrently vetted by the insurance organization that is issuing the policy.
Cyber liability insurance is still a fairly new field. There is no one-size-fits-all policy, meaning organizations have many choices as to what they will cover and will not cover. This leaves lots of room for negotiation but can create unintentional gaps in coverage. Both parties should have a thorough understanding of what is and is not being covered as well as any caveats to the policy. As is always the case, mind the fine print.
Cyber Liability Insurance Review
SecureState’s Advisory Services