To print this article, all you need to do is register or log in to Mondaq.com.
Originally published by New Hampshire Bar News.
Ten years ago, most companies didn’t know cyber insurance existed. Five years ago, many had not bought it. By now every company knows or should know that it needs cyber insurance. Risk-conscious individuals would never leave their driveways without auto insurance or run a professional services business without professional liability insurance. Likewise, risk-aware companies cannot operate in a digital world without good cyber insurance.
Similarly, five years ago, cyber insurance was cheap and easy to purchase. Airlines asked few, if any, questions, and rewards were low and largely dependent on the size and industry of the company. Two years ago, companies could easily renew their existing cyber insurance policies with their existing providers without much effort or premium increases. But then Texas froze, California burned, cyberattacks exploded, and the world plunged into a global health pandemic. Insurance underwriting has been turned on its head in 2020.
Airlines desperately tried to avoid risk and increase premiums on all covers, especially cyber, to absorb losses and restore profits. As a result, premium increases of 50% to 200% for cyber renewals have become common, even for security-conscious businesses that have never experienced a breach. For businesses that have been victims of data breaches, premium increases of up to 400% are not uncommon, if those businesses are able to secure coverage at all. In fact, network operators simply refuse to renew coverage for security breach victims as well as small businesses with low premiums, leaving them without cyber insurance altogether. In addition, the policies offered often reduce the coverages offered, e.g. B. by a significant increase in deductibles, a significant reduction in floors and the complete exclusion of cover for certain losses.
As if all of this wasn’t bad enough, companies facing cyber insurance renewal now have to clear another major hurdle in the form of a detailed application questionnaire. While shippers used to ask few, if any, questions about a company’s security preparedness before issuing cyber insurance (admittedly poor risk management), now shippers have reversed course. These questionnaires include targeted requests to assess whether a company has implemented very specific cyber security measures, such as and so on and so on.
Even companies that have previously delved into cybersecurity can struggle to answer all of these questions in the way network operators want them to. And failure to do so often results in large premium increases or a blanket non-renewal. Therefore, the consequences of this process can be serious. Two steps are critical to properly preparing for purchasing cyber insurance or renewing it.
First, companies should begin working with their insurance agent and a cybersecurity attorney at least six months before the expected date for filing cyber insurance applications or renewals. The agent and attorney should review the application forms of the airlines with which the company intends to apply to determine the specific safeguards required by those airlines. Such advance planning is necessary as it often takes the company months to implement measures that it may lack. Additionally, working with a cybersecurity attorney will help ensure the application is properly completed and the process is protected by attorney-client privilege.
Second, if a company has experienced a breach or even a minor security incident in recent years, months prior to the claim process, a company must work with its insurance agent and a cybersecurity attorney to devise a strategy to address the breach or incident during that process. Such strategy will likely include determining which airlines might be willing to consider insurance coverage despite the injury or incident, and the likely premium increase for such insurance. Such a strategy also requires ensuring that all actual and potential vulnerabilities that caused or could have caused the breach or incident have been fully remedied and that the company is able to demonstrate tangibly that it is improving its cyber security measures in general has improved significantly after the breach or incident and that it conforms to an industry-recognized cyber security standard.
Cyber insurance renewals are anything but routine. Companies that don’t prepare – starting months before this process – are likely to be unhappily surprised by either a staggering premium increase or a total non-renewal.
Cameron Shilling is a shareholder at McLane Middleton, where he is Director of Litigation and Chair of the Cybersecurity and Privacy Group
The content of this article is intended to provide a general guide to the topic. In relation to your specific circumstances, you should seek advice from a specialist.
POPULAR ARTICLES ABOUT: Insurance from the United States