Last Updated on July 11, 2022
Cyber liability insurance premiums are skyrocketing. Policies are also being written with higher deductibles and other restrictive policy terms, thus changing the cyber risk profile for many orgs. Underwriting due diligence is also intensifying, putting firms with immature cybersecurity programs at a further disadvantage. And when it comes to claims, carriers are doing all they can to limit payouts.
Given this turnabout in the cyber insurance game from just a few years ago, is your business all set without having a knowledgeable attorney review your cyber liability insurance? In a word, no way!
To point out the pitfalls in today’s cyber liability insurance landscape, a recent episode of The Virtual CISO Podcast features Eric Jesse, Partner at Lowenstein Sandler LLP. Hosting the show is Pivot Point Security CISO and Managing Partner, John Verry.
Takes one to know one
Eric emphasizes that a cyber liability insurance policy is a binding legal document featuring lots of potentially confusing “legalese” best interpreted by a fellow lawyer versed in cyber liability.
“If there is a coverage dispute, you’re going to have a judge interpreting what that policy language means,” Eric emphasizes. “I can’t tell you the percentage of companies that have their policies reviewed by counsel—but they all should.”
One: Devilish details
A major reason to have counsel review your cyber liability insurance policy is these documents are insanely complex. Without some expert input you might know where you’re covered and where you’re exposed.
“We review a whole host of different policies, and [cyber insurance] are one of the most complex ones out there, Eric points out. “There are a lot of exclusions, and the devil is in the details. You have defined terms in these policies from A to double-Z, and I’m not exaggerating when I say that.”
“We like to say that you need a secret decoder ring to understand what’s in these policies,” adds Eric. “Because in those definitions, in that minutia, is where the scope of coverage in those exclusions actually lives.”
Two: Room for improvement
Because of the sheer complexity of cyber insurance policies, you can’t just put them on the shelf and forget about them. You need keep your cyber policy aligned with your evolving risk profile.
“Given the risks that all industries face on the cybersecurity front, these policies can be very valuable and very important, and it’s worth the time and investment to get them right,” notes Eric. “A lot of companies don’t realize this, but oftentimes you can try to negotiate for improved terms and conditions.”
Examining the options for negotiating is another critical role counsel can play when reviewing your cyber policy.
“Counsel can help you put together that wish list,” says Eric. “You won’t get everything. But what you may get is going to depend on the premium, because a carrier is going to approach a $10,000 policy different than a $100,000 policy. But you’ll get something and it’s helpful because once you get that improvement into the policy, it can carry forward as you renew.
Three: Promises, promises
Any insurance policy binds you to a set of obligations that you need to stay in compliance with. With these complex cyber policies, it’s critical to understand what they require your business to do in terms of security procedures, controls, etc. It’s also critical to understand what your cyber policy does not cover and therefore puts on you.
“You just need to understand what is required by these policies because you need to know about sub limits, so there aren’t any surprises,” Eric explains. “And also there are requirements in the event of a breach or a claim.”
To listen to this executive-level discussion with Eric Jesse, click here.
What’s the role of cyber liability insurance from a risk mitigation standpoint? This blog post shares essential guidance: 80/20 Cyber Security, Part 4—The 3 “Damage Control” Controls