Cyberattacks continue to set new records, prompting chief information security officers (CISOs) and business leaders to focus intently on how best to defend their businesses.
Cyber insurance, a combination of real-time assistance and financial reimbursement, has become an important element in a company’s defense strategy.
Given the stakes, CISOs should enter such agreements with their eyes open and ask probing questions of would-be insurers to satisfy themselves that the insurance company will back up its promises with proven support that’s readily available.
Here are eight topics to cover with a prospective cyber insurance company:
- Partner vendors: Ask if the vendor’s partners offer the full spectrum of support, such as IT forensics and remediation, legal, public relations and credit monitoring in all jurisdictions the insured operates. It’s all too common to find a mismatch in policies when it comes to partner vendors. Not all the details are fully spelled out in the policy. If there’s a mismatch, ask the insurance company if they can pre-approve other experts.
- On-site support: Another common gap concerns IT assistance. While IT teams can reinstate systems remotely, it’s not always a matter of changing remote settings. Sometimes they’ll need to physically disconnect computers and if it’s a small business with no IT department, or a large company with vast computer networks, all companies will need some level of onsite support, so question its availability.
- Specialized systems: When an organization has special systems, e.g., patient information systems for medical practices, often only the company that built them can service them. This raises another important question: can such companies be pre-agreed in the insurance contract to allow the insured to instruct them as needed without further insurer authorization?
- Service-level agreements: Companies seeking cyber insurance also need to do their due diligence around pre-agreed SLAs. For example, an insurer may pre-agree a law firm for an insured’s panel, but have no agreement about their hourly rates or response times. Without that there’s no compulsion on that firm to respond to the insured within any given timeframe. This leads to the question: are contracts in place between the insurer and panel vendor firms? If not, are they subject to change and, if so, how often?
- Surge clauses: The Blackbaud system breach in 2020 made the need for surge clauses in panel vendor contracts abundantly apparent. Blackbaud suffered a months-long intrusion, leaving its clients worldwide needing legal assistance, producing a huge surge in demand for lawyers. Similarly, the 2021 Microsoft Exchange Server data breach produced huge demand for IT forensics. Surge clauses guarantee access to the required specialist services for an insurer’s clients. Without them, companies may struggle to find a firm with capacity to assist during a large event. It’s highly recommended to ask if the insurer has a surge clause.
- Claims experience: Insurance buyers should also bear in mind that not all claims teams are equal. They need to know, if there’s an incident, if they would notify their insurer via a generic email, or a 24/7/365 incident-response hotline to arrange immediate support. This goes back to SLAs that stipulate set response times. Ask if there are triggers built into the SLA that can expedite the process for insurer involvement, e.g., to enable a ransom to be paid quickly? Further, what’s the insurer’s SLA on ransom payment times? Where claims departments are not solely dedicated to cyber, it’s very hard to achieve the level of experience, knowledge and dedication found in dedicated cyber teams. Less experienced teams often need more external legal counsel to reach determinations on coverage, which slows down the claims process. Dedicated teams can offer certainty to their clients much faster. Find out if an insurer has a dedicated cyber claims team and how experienced they are.
- Ransomware: In the event of a ransom demand, would the insured pay the money to the vendor, or would the insurer pay it directly to the vendor or the insured? The answer to that will affect the insured’s cash flow and /or the speed at which a ransom gets paid. The shock of receiving a ransom demand can paralyze management teams. The more they know about the process and have given thought to their potential responses on demand, the lower their blood pressure and chances for missteps, letting them focus on the process to achieve a swift resolution.
- Business Interruption: BI claims continue to take longer than they ought, often because of a lack of clarity about the information an insurer needs to assess an insured’s loss. Ask about the process for assessing BI and, crucially, what information the insurer needs on hand so they can assess the loss quickly and accurately.
When buying cyber insurance, asking these questions can be the difference between swift reinstatement and indefinite disruption. Quizzing an insurer can inspire the confidence clients seek and considerably limits the possibility the buyer will learn about service deficiencies during an actual cyber incident.
Luke Johnson, claims manager, cyber risks, Canopius