I just co-authored with David Fontaine (Chief Legal Officer of Altegrity, Inc.) a 15,000 word primer on cyber insurance entitled, “Cyber Insurance: A Pragmatic Approach to a Growing Necessity.” This topic is ready for a unique and thoughtful approach — which David and I discuss in detail. As we point out in the article:
Today, a cyber-attack potentially implicates several different types of insurance coverage – depending on such factors as the type of attack, the extent, if any, of data loss, the relationship of the parties, the nature of the data involved (e.g. personal information, intellectual property, trade secrets, emails, etc.), the type of policy in issue and, if for third-party liability, the allegations asserted and the type of damages in issue.
Yet while the market for cyber insurance continues to grow dramatically, no standard form of cyber insurance policy language has materialized. And, whether standard property casualty provisions even cover losses attributable to cyber incidents, remains subject to interpretation and potential dispute.
In addition, the actuarial challenges of predicting/gauging the potential impacts of a cyber-attack can, in turn, make it difficult to match a cyber insurance policy with the unique risk profiles of global and technologically sophisticated companies; these are difficulties faced not only by insurance providers but also by even the most experienced executive team. Cyber-attack damages are so multifaceted and unique – much more so than fire, flood, and other more traditional disaster scenarios – that there is no normal distribution of cyber-attack outcomes on which to assess the probabilities of future events and impacts. As a result, there are now a dizzying array of cyber insurance products in the marketplace, each with its own insurer-drafted terms and conditions, which can vary dramatically from insurer to insurer – some effective and comprehensive and others replete with loopholes, exclusions and other confusing features . . .
So what can companies do to protect against the damaging consequences of the emerging and in some ways immeasurable impacts of a cyber-attack? Traditionally, purchasing insurance coverage begins with a policy review, a risk breakdown and a range of other risk-related analytics. This article suggests a different approach towards the overall risk analysis.
We believe that a company should begin with a review of actual cyber-attacks experienced by others, analyzing and scrutinizing the typical cyber-incident response workflow and so-called “workstreams” that typically follow most cyber incidents. By analyzing and revisiting the practicalities and economics of these workstreams, a company can then collaborate with its insurance brokers and originators to allocate risk responsibly and determine, before any cyber-attack occurs, which workstream costs will be subject to coverage; which workstream costs will fall outside of the coverage; and which workstream costs might be uninsurable.