2018 was the year of hearing from clients that they are convinced that they “have cyberliability insurance” to finding out that they really don’t have the coverage that they need for the most common cyber risks.
We can’t count the number of times that we have assisted clients in the past year with cyber intrusions, phishing incidents, wire fraud, social engineering and vendor error that have resulted in the successful theft of substantial funds, or a reportable data breach that ended up not being covered by an insurance product.
In some instances, the client didn’t have any cyberliability insurance, and although it “was on my list to look into it,” coverage was never obtained. In other instances, exclusions in policies that the client thought would apply specifically excluded coverage for the facts of the incident, and in other cases, riders or coverage for certain risks were never purchased. At no time did an insurance company simply deny coverage for the sake of denying coverage—in all cases, the coverage just truly wasn’t included in the policy that the client had purchased.
In our first New + Now post for 2019, we remind our clients and readers that cyberliability insurance is a fairly new product and is in its infancy. As a result, coverage has evolved over the years, and has adapted with the rapidly changing cyber risk landscape. That means that it is tricky and may need more research and time to bind than your commercial general liability policy that you have had for the past 20 years.
So, put cyberliability insurance on your priority list for 2019. Get with a broker who really knows this subject matter and has experience in binding appropriate coverage for the specific risks of your company and industry. Talk to your broker about wire fraud risks, phishing risks, social engineering, vendor risks, ransomware, malware, data breaches, enforcement actions, fines, penalties, first and third party expense reimbursement, litigation, hacking, and cryptomining on your network, to name a few. We have experienced all of these risks and incidents in 2018 and these risks are not going away.
Once you bind coverage, don’t just put the policy in a binder on the shelf or dump it in a drawer. It is important to have it reviewed by a lawyer with knowledge in this area to confirm that coverage is available for the actual risks we are seeing occur in the industry.
One last note: if you use trusted cyber counsel or other cyber service providers, most cyberliability insurance policies will require that you use panel counsel and vendors in the event of an incident. Check to see if you can use your trusted counsel or cyber vendors and get pre-approval. That way, when an incident occurs, you will not be surprised to learn that the coverage only pays for the services of providers with whom you don’t have an existing relationship.