FAQ – Cyber Insurance Policy – Guidance
What are some of the values and shortcomings of cyber insurance?
- Cyber insurance policies typically offer business interruption and data restoration coverage for an additional premium. These services may be covered by a cyber insurance policy; consulting the insurance carrier or broker is the best way to understand the boundaries of coverage
- Smaller organizations may not want to pay the higher premium for these add on services.
- Companies providing data recovery services may be able to restore deleted data if a malware attack did not forensically destroy the data
- Healthcare professionals need to be reminded of the Hippocratic Oath, “first, do no harm.” If a patient/provider cannot access a complete medical record, care plan/treatment options could be compromised, repeat testing/data collection may be required, and additional charges could be incurred, any of which could be harmful.
What are the key areas to keep in mind when you purchase or review your cyber insurance policy?
1 – Understand the requirements and expectations from the broker (or the carrier) of notification. It is important to understand the policy holder’s obligations of when to notify the broker of a cyber incident. Failure to comply could result in lessened or no reimbursement.
2 – Be sure to understand if there are sub-limits on coverage for certain parts of the policy. For example, an organization may have a policy with $5,000,000 in coverage but there is a $500,000 cap on coverage for incident response costs, such as a forensic company brought in to aid with an investigation. So on the surface, it may appear that $5 million covers it, but sub-limits may be involved.
3 – On a related note, understand what is covered in the scope of costs for a response. Is it only forensic investigation costs? Are costs covered for setting up a call center to take incoming calls if the nature of an incident involved exposing confidential information? What are the limits of coverage for breach notification costs and for credit monitoring?
4 – Related to hiring a forensics firm, be sure to understand if the policy gives you the flexibility to choose your own forensic vendor or if you are required to use one from an approved list of vendors the broker provides.
5 – The list of exclusions can be lengthy in a cyber policy. Policies will generally have an exclusions section further down in the policy and reference sections that appear early in the policy. This requires the reader to do a lot of back and forth scrolling to match exclusions to the section referenced.