Getting Cyber Insurance Right: 5 Practical Tips
This article is part of our Cybersecurity Blog Series, which is intended to provide readers with a 360° view on cybersecurity. To view other blog posts in the series, please visit Cybersecurity Blog Series from McCarthy Tétrault’s Cyber/Data Group
Having good cyber insurance coverage is an important component of managing enterprise-level risk, and getting it right has never been more important. As cyberattacks continue to remain the rule, not the exception, insurers are rapidly adjusting their cyber insurance approaches and offerings, including by taking a more “hands-on” approach to assessing the insured party’s cyber readiness maturity.
We have put together five tips for organizations to keep in mind when they secure or renew their cyber insurance policies:
- Purchase coverage under a cyber policy specifically. Insurers offer specific cyber policies and are increasingly seeking to exclude cyber coverage from their other policies. For that reason, it is risky to rely on general commercial, D&O or other insurance policies as sufficient to provide a patchwork of coverage that will insure your organisation in the event of a cyber incident. The Ontario Court of Appeal’s decision in Family and Children’s Services of Lanark, Leeds and Grenville v. Co-operators General Insurance Company is a recent case insurers may rely upon to try and deny coverage under non-cyber policies: the court broadly interpreted a “data” exclusion clause in a commercial general liability policy, leaving the policyholder without coverage following a criminal cyberattack (read our post on that decision here). While some general commercial, D&O or other insurance policies may still provide data coverage based on their specific language, having an adequate cyber-specific policy is the best practice.
- Ask insurers to approve your preferred legal counsel and other service providers at the time you purchase or renew the policy. Third party service providers like external legal counsel and forensic investigators are an integral part of a company’s breach response. Being able to pick the service providers you want to work with, and mobilize them immediately, can be a critical component of an incident response plan. However, that plan can go awry if the policy requires an insured to use the insurer’s pre-selected “panel counsel” or “panel forensic providers”, who may not be suitable for the company’s incident response plan, or if the policyholder needs to get approval from the insurer before engaging a service provider to start work on incident response. Insurers often offer different levels of policy, and some allow the policyholder more control over choice of counsel and forensic service providers. You should look carefully at the terms of the policy to determine whether the policy allows you to work with your preferred service providers, and whether you need insurer approval to do so. With the help of a skilled broker, policyholders should negotiate insurer approval of their preferred legal counsel and other service providers at the time a policy is purchased or renewed—when they have the most leverage and there is no urgency—not in the wake of a breach.
- Invest time when answering the insurer’s questionnaire about the company’s IT security. When applying for or renewing cyber insurance, insurers typically ask policyholders to complete a questionnaire about their network and IT security. These questionnaires are important: insurers may rely on any mistaken or incomplete answers to impose or negotiate reductions of coverage when an incident happens. Companies should invest time to provide accurate and comprehensive answers to the insurer’s questionnaire. This includes asking for clarification where a question is unclear, getting input from the IT team or others on matters that require technical expertise, clearly listing any qualifications that apply to the company’s answers, and carefully selecting who signs the warranty of the company’s responses.
- Pay close attention to the exclusions. To ensure there are no gaps in coverage and to understand residual risk, pay close attention to the exclusions that apply to a policy. For example, is there a cyber-terrorism carve out that might limit coverage for a politically-motivated attack attributed to a foreign state like Russia?
- Do not simply automatically renew the cyber policy annually. Cyber insurance continues to evolve rapidly. Always check for key changes to the policy coverages as compared to the prior year, and do not forget to ask for any coverage enhancements that may have become available since the last policy date.
Cybersecurity Blog Series and Related Insights:
- Emerging Developments in Ransomware
- Getting Cyber Insurance Right: 5 Practical Tips
- Ransomware: avoidance and response
- Reducing Risk and Fostering Breach Resilience via Privacy by Design
- Preparedness and response planning best practices
- Landmark ruling: The Superior Court dismisses a class action over the loss of personal information in Lamoureux v. OCRCVM, 2021 QCCS 1093
- Protecting Legal Privilege in a Data Breach Response
- IIROC Publishes Notice Regarding Ransomware Attacks
To learn more about developing a cybersecurity strategy and an incident response plan, download a copy of our Cybersecurity Risk Management: A Practical Guide for Businesses or visit the Cyber/Data homepage.