This is the seventh in our series sharing thought pieces from the CISO Desk Reference Guide: A Practical Guide for CISOs, volume 1. In the following excerpt from the composite essay for Chapter 7, we begin with the basics on cyber liability insurance. Please enjoy.

Risks Covered by Cyber Insurance

Let’s look at the types of risks that cyber insurance covers. As noted above, traditional property and general liability insurance does not cover security breaches that frequently result in the loss of intellectual property, customer lists, price lists, client records, and other sensitive data. Cyber liability insurance addresses the coverage gap associated with property insurance to handle these losses. In addition, cyber insurance covers two distinct categories of expenses: first-party expenses (the organization’s specific expenses) and third-party claims (the exposure to claims against the organization given a breach or other such incident).

First-party expense coverage is designed to cover expenses tied directly to the organization, including cyber extortion coverage, business interruption coverage, and other business-related expenses associated with the breach. The latter includes items such as the costs of digital forensics and the hard costs associated with breach response (customer notifications, credit monitoring services, increased staffing to field client inquiries—crisis management, if you will).

Third-party expense coverage addresses penalties and regulatory actions related to privacy and security violations resulting from inadequate privacy and security protections within the organization. Third-party coverage may also include content-related issues, including copyright infringements, libel, and slander. Policies have coverage limits, with sub-limits for specific first party and third-party damage. We highly recommend that you retain a qualified insurance broker to assist you in validating what the policy covers and how coverage varies from carrier to carrier. The cyber insurance marketplace is competitive, so vetting several providers should be the norm—try to get quotes from at least three carriers.

As part of the policy due diligence, validating explicit exclusions and effective date clauses is essential. Given how nuanced this type of insurance may be, a given exclusion could be the difference between a policy that has value to the organization and one that is not worth purchasing. Similarly, we know that it can take months to discover a breach. Sophisticated attacks are extremely difficult to detect and often go unnoticed for half a year or more. Work closely with the broker to ensure that a retroactive effective date is available with the policy.

A good practice is to create a simple matrix outlining the critical variables associated with each policy, including aggregate limits, sub-limits, exclusions, effective (retroactive) dates, and related costs. Cyber liability insurance varies in the cost of coverage from carrier to carrier more than other insurance types, so work with your selected broker to vet the options carefully. Caveat emptor has never been more critical than for this type of purchase.

The scope of cyber liability insurance applications has also expanded over the years. Early policy applications were straightforward, suggesting that the insurance industry did not fully understand the complexity and technical nuance of cyber risk. Unlike other types of coverages with actuarial tables that provide accurate detail on the likelihood of a claim (think life insurance), cyber liability insurance still does not benefit from this maturity. The challenge is that prescribed activities (security policies, technical controls, and other actions) have not necessarily translated into reduced risk in the same way that “don’t smoke and get exercise” translates into longer and healthier lifespans.

Applications today can routinely reach 15 to 20 pages, covering a broad range of cybersecurity issues. Underwriters seek to reduce their liability by validating the existence or occurrence of specific cybersecurity practices within the organization. At times, this validation crosses the line by being too prescriptive and consequently losing sight of the actual objective versus the means to achieving that objective.

As a case in point, on one recent application there was a section to capture which security technologies are in place. One of the questions on the form asked if there was a “web application firewall,” and the response options were simply “yes” or “no.” There was no question regarding whether the web application firewall (WAF) was configured correctly (WAFs typically require a significant amount of tuning as they learn the normal behavior of the applications that they protect) or whether the WAF was protecting applications that are material to the policy’s coverage (e.g., an application containing PII, cardholder data, or ePHI).

There are similar challenges with other questions often asked in policy applications. Cases in point include the existence of a security policy or a disaster recovery plan. The anticipated “yes” response (i.e., the organization has a security policy and a disaster recovery plan) does not provide context on the policy’s completeness or the program’s effectiveness. Further, a simple “yes” response does not indicate if the security policy has been reviewed and approved by management, conveyed to all employees, or is current. (We cover the topic of security policies in Chapter 3.)