Cyber Insurance and Risk Management

Organizations are beginning to recognize the value in having a stand-alone cyber insurance policy in place. However, this is only one piece of the puzzle. Cyber exposures are dynamic and don’t usually fit squarely within any one insurance product.

In order to maximize insurance recoveries in connection with cyber events, organizations need to also be able to identify if, and to what extent, their traditional insurance policies contain silent cyber coverage. And then, the extent to which these policies are coordinated in such a way to maximize recovery.

The bottom line: Managing cyber risk transfer is becoming more complicated every day. In order to be truly effective, it must be coordinated and strategic. Engaging cyber insurance experts as part of your overall cyber risk management strategy will make the entire process less overwhelming and more efficient.

Own IT

In keeping with the 2019 National Cybersecurity Awareness Month slogan, let’s look at cyber insurance coverage, and what it means to OWN IT.

Computer System vs Computer Network

Most all cyber policies include a definition of computer system or computer network. These definitions are the heart and soul of the cyber policy. Most, if not all, coverage under the policy is, in some way, contingent upon how these definitions are drafted.

In some cyber policies, the definition of computer system will only capture technology/devices owned, or leased, by the Named Insured or the Insured Entity, and used by their employees for a business purpose. This typically includes software as a service (and other “as a service” technologies), and cloud-based technology.

However, it may or may not apply to devices owned by the employees but used for both a personal and business purpose.

Companies with a Bring Your Own Device policy should pay close attention to this definition, as it may need to be revised to provide adequate coverage.
Keep in Mind

Most insurers will, if asked, amend the definition of computer system to include employee-owned devices but will likely set parameters around the extension. For example, in some policies, the definition of computer system will differ based on the insuring agreement.

When looking at business interruption coverage, in some cases, SaaS and cloud-based services will be explicitly removed from the definition of the insured’s computer system. In this type of policy, coverage for business interruption arising from these types of technologies may fall under dependent business interruption.

Dependent business interruption coverage is often subject to a sublimit – an amount less than the full limit of the policy. This could come as an unpleasant surprise to businesses that rely on SaaS or cloud-based services.

October is National Cybersecurity Awareness Month (NCSAM), a collaborative effort between government and industry to raise awareness about the importance of cybersecurity. Join us in sharing this year’s message to Own IT. Secure IT. Protect IT.

If you have any questions about our cybersecurity insurance program or want to learn more about what we offer, let’s connect.