Not all cyber policies are created equal…
Given the rapid evolution of cyber solutions, including incident response and proactive services, it’s unsurprising that conversations about the role of cyber insurance in protecting policyholders are changing.
Reflecting on what this means for brokers, James Burns (pictured), head of cyber strategy at CFC underscored the importance of maintaining focus on insurance as a promise to pay as well as, increasingly, a promise to protect. There’s still so much nuance between different cyber insurance products, he said, and those coverage nuances can have massive implications at the point of claim.
One – The difference between data recovery and data recreation
Not all policies are created equal, and for brokers, the challenge is differentiating between covers that can appear very similar but actually differ greatly depending on how the policy language is crafted, or how the policy is structured. An example of one of these subtle nuances is the difference between data recreation and data recovery in cyber insurance policies. “That one word different completely changes the nature of cover available under the policy,” he said. “and I think it’s something brokers really need to watch out for.”
Most cyber policies will cover data recovery, which tends to be applied when an insured has their data or systems encrypted or corrupted by a threat actor, usually by ransomware. Data recovery covers the cost of electronically reconstituting that data to the extent that it is electronically recoverable. But what happens if data that is critical to a business’s ability to operate isn’t recoverable electronically?
“That’s where data recreation steps in,” he said. “Data recreation covers the cost of recreating that data set from scratch, often using external specialists to essentially rebuild data sets to their pre-incident state. Burns cited a recent example of this where an engineering firm insured by CFC was hit by a ransomware attack, which encrypted all the data files on their servers and all the data backed up on their local hard drives.
“They thought they’d been backing up data to a cloud server but when they went to restore those backups they discovered they’d been failing for the past four years,” he said. “So, all the files relating to every project and proposal they had during that period were totally unrecoverable. To add insult to injury, the threat actor was completely unresponsive so paying the ransom wasn’t even an option for them; they were totally stuck, unable to continue to service their clients without access to the files.”
The data recreation element of the client’s policy meant the engagement of external engineers to come in and assist the management team in recreating what had been on those critical business files. “Over a period of months, they gained back nearly everything that was lost at a cost of around £200,000, which was covered in full. But if the policy hadn’t included that one word – recreation as opposed to just recovery – there’s a good chance they wouldn’t have been able to do any of this and could have gone out of business.”
Two – why unlimited reinstatements are a gamechanger for policyholders
Another critical coverage consideration is around unlimited reinstatements, which can easily go undetected by brokers. “The vast majority of cyber policies give the policyholder a single aggregate limit. So, you buy a cyber policy with a £1 million limit, with £1 million for response, £1 million for business interruption, £1 million for liability and so forth. But those limits are always subject to an overall cap of £1 million for the policy as a whole, so each claim a policyholder has erodes that limit.
“So, if they have an incident which causes a £1 million claim, they’ve technically got no money left for any subsequent issues that might arise throughout the course of their policy period. Unlimited reinstatements allow for the full reinstatement of certain limits to ensure that the policyholder is fully protected in the event that they do have more than one incident during the policy period.”
Given the high frequency of cyberattacks today and the costs involved, businesses are faced with the prospect of suffering more than one attack within a relatively short space of time. Unlimited reinstatements mean that brokers can assure their clients that even if they’re hit by a devastating attack, their coverage will support them through any subsequent incidents. “It’s back to nuance and how the words on a policy can actually transform the way that policy works. And that can be easy for brokers to miss because they aren’t necessarily used to seeing limits on a cyber policy work this way.”
Three – what are nil deductibles and why are they so important?
A third key area that brokers need to be on the lookout for is nil deductibles. It’s a coverage consideration perhaps more important in cyber than other lines of business because speed of response is so critical in minimizing the impact of a cyber incident. The sooner the coverage provider is alerted, the faster they can engage their technical expert first responders to triage, contain and remove the threat.
However, some businesses avoid contacting their cyber insurers straight away because they worry about hefty upfront costs in the form of their excess or deductible, or they’re concerned about triggering a claim for a small event that could potentially increase their future premiums. So, rather than engaging their insurer over something that could turn out to be nothing, they’ll wait and see how the situation develops and only notify them if it starts looking serious.
“But when it comes to cyberattacks, every second really does count,” Burns said. “If you wait and see how the situation develops, by the time you notify your insurers, the situation could be much more serious and costly than if you had called in right away.”
He advised brokers need to be on the lookout for policy wordings that offer initial, instant response services at a nil deductible. That wording nuance means policyholders can notify their insurer when they suspect something is awry, without the burden of having to pay for the initial response, without a claim being automatically triggered, and with access to an expert in-house team. Insureds should feel comfortable tapping into the expertise of insurers and leaning on their services in their time of need. This approach is proven to lead to much better outcomes – reputationally, financially and operationally for policyholders.
Cyber products have evolved to become about much more than just a policy wording, but the policy wording remains immensely powerful – any business interruption dispute shows that. Sharing his key message for brokers, he asked that they take the time to really understand what the language used in a cyber policy means, and to lean on their insurer for support.
“Ask your insurer questions,” he said. “Give them scenarios and say, ‘Would this be covered under your policy? What does this word mean? How does recreation differ from recovery?’ And make sure that you really push them to give you answers. Because I think that it’s important that brokers who are selling these products truly understand the extent of the cover that’s given under them, or the cover that might not be there in a policy that’s been worded a certain way.”
Related Stories
Keep up with the latest news and events
Join our mailing list, it’s free!