Wednesday, March 23, 2016

Excellent story in today’s Insurance Law360 (subscription required) about yesterday’s cybersecurity hearing at the U.S. House of Representatives' Homeland Security Committee. The hearing was a Cyber Insurance 101 for committee members, with cybersecurity and cyber insurance experts from various companies helping to get members up to speed on the growing risk of data breaches.

One of the main lessons from the hearing was that the mere presence of cyber insurance policies has strengthened data security because they promote “discussions about data security measures across a company's departments.”

As Tom Finan, chief strategy officer at Ark Network Security Solutions and a former leader of the Department of Homeland Security's cyber incident data and analysis working group, says, "I see insurance as a vehicle to make cyber risk more of an enterprise risk management problem."

Certainly, making corporate executives stop and examine what their company is doing to safeguard its data is a healthy exercise. But in our work with businesses that are negotiating their own cyber policies, we caution against making the process all about corporate policies.

Many cyber policies include exclusions that effectively shift the risk back to the insured, e.g. requiring that the company follow certain protocols, etc. But because, according to a recent report in Business Insurance, more than 70 percent of data breaches are attributed to “credentialed insiders,” any policy that puts all the risk back on the insured is effectively a worthless policy.

For more advice on what to look out for when buying a cyber policy, check out our Tips for Buying Corporate Cyber Insurance.

A few other highlights from the Law360 story:

1) The main obstacle for standardization of cyber policies is a lack of data about cyber risks and incidents. Consequently, DHS is considering a “unified cyber incident data repository” that would collect (possibly anonymously) information about corporate cyberattacks. Such a repository could “bolster insurers' ability to model the likelihood and severity of cyber incidents,” says Matt McCabe, a senior advisory specialist at insurance brokerage Marsh USA.

2) Because there is so little data, underwriters have been pricing policies based on assessments of prospective insureds, which means cyber products are both more customized and more expensive, according to North Dakota Insurance Commissioner Adam Hamm, who chairs the National Association of Insurance Commissioners' cybersecurity task force.

Click here to receive our firm’s e-newsletter, which includes updates on insurance law and other news important to business policyholders.