SAN DIEGO—With hacking incidents becoming all too common, risk managers are under increasing pressure to help protect their companies from the inevitable breach. Insurance is an option but policy forms are still developing. In a session at RIMS 2016, Joshua Gold, a shareholder with Anderson Kill and Debbie Gramer, director of global risk management at Arrow Electronics, Inc., offered the following 10 tips to risk mangers looking to secure the best possible coverage for their organizations.
- Be careful with insurance applications. Use precise language to convey your exposures to underwriters. Never answer “yes” or “no” to a question that doesn’t really have a yes or no answer.
- Retro dates. Hackers can be in systems for days, months or even years so it is important push retro dates back as far as possible.
- Look for clear policy coverage. Forms and terms change over time as the risks shift. Having clear language can remove ambiguity.
- Symmetry with other insurance (e.g., CGL, property). Review existing policies to determine where there may or not be coverage gaps.
- Get endorsements of special coverage needs. If you have exposures from cloud providers and third-party vendors, for example, you will need to specifically address these. Exclusions matter.
- If you accept payment cards, be aware of PCI issues and card brand fines and penalties.
- Address sub-limit concerns. Losses can be expensive. Make sure sub-limits are adequate.
- Beware of breach of contract exclusions.
- Beware of conditions on “reasonable” cybersecurity measures. “Reasonable” is a subjective term. Specifically define security measures to remove any grey areas that could lead to a coverage dispute.
- Business interruption and reputational damage insurance may be vague but they are becoming more relevant. Business disruption is quickly becoming the most important operational consequence of a hacking incident. Make sure you are protected.
- Coverage, Breaches Highlighted at Advisen Cyber Conference
- 10 Insurance Tips for Risk Managers
- Beware of Coverage Gaps for Social Engineering Losses
- Aon Introduces Single-Parent Captive Cyber Insurance Program
- Tom Ridge Tells Cyber Conference Insurance Should Incentivize Risk and Resilience Planning