As cyber risks evolve, cyber insurance becomes harder to get

Cyber insurance is a critical tool for businesses facing the looming threat of a major cyber incident. And insurers have become more aware of the risks, said a panel of cyber insurance experts during the recent ACC Foundation Virtual Cybersecurity Summit. Before writing a policy, insurers want to examine everything a business is doing to mitigate a cyberattack.

In the early days of the cyber insurance market, there was a lot of competition. Risks and coverage were not very well understood, and businesses were incentivized to buy this kind of insurance, said James Steel, director and counsel at American Express Co. in New York.

In-house counsel need to work with their information security teams to map out how they respond to incidents, showing insurance providers how they would handle a potential attack. They should also look at how secure their third-party vendors are, the panelists advised.

“The market is a lot tougher now to secure coverage. Underwriters are looking much more carefully at what you’re doing in-house to make it an attractive risk,” Steel said.

However, with greater ransom demands as well as regulators enforcing laws such as the California Consumer Privacy Act and the European Union’s General Data Protection Regulation, underwriters are asking tougher questions.

“All of these risks and losses are adding to the insurance companies asking, ‘What exactly are we covering here?’” said David Navetta, a partner at Cooley in Denver.

Stephen Liverpool, general counsel of Raymond James Bank in St. Petersburg, Florida, said underwriters have become much more sophisticated than in years past, and are asking more pointed questions about an organizations’ cybersecurity responses and infrastructure.

“I’ve found that putting some time and effort into how you present your organization’s risks and controls is helpful in having those conversations with the underwriters,” Liverpool said.

To reassure underwriters on the level of risk they would be taking on by issuing a cybersecurity policy, in-house counsel should be evaluating their third-party vendors.

“You should be checking all of your third-parties and ensuring they have coverage, whether it is through your procurement contracts or through your third-party vetting,” said Audrey Jean, privacy officer and senior associate general counsel at AARP in Washington, D.C.

From the perspective of an in-house lawyer, Steel said it is critical to go through the cyber insurance policy and then map out all of the touchpoints of the insurance carrier, detailing what the coverages are and what the exclusions are.

“That way you know how the insurance maps to your internal processes. If you haven’t given some time to think about what to do in those situations in advance it can be very challenging to do on the fly,” Steel said.