What Are Common Coverage Enhancements On a Cyber Liability Policy?
Cyber crime
There’s disagreement within the industry about where this coverage should be found. Are cyber policies better equipped to deal with computer crime since they are built around unauthorized network intrusions to begin with? Or should cyber crime be left in the hands of crime underwriters who can tweak their policy to simply cover crimes when they happen via the internet. Regardless, it’s important to know that, depending on the carrier, the coverage extension is available and it would reimburse the insured for the actual funds that were stolen.
Property damage
Not all hacking attacks are limited to stolen data. Sometimes the malicious code that hackers use causes widespread damage not just to data but also to the physical property connected to the network. Carriers are beginning to offer coverage that replaces or repairs this property. The types of property included should be as broad as possible, including computers and related peripheral components, including Internet of Things (IoT) devices, terminal devices, mobile devices (handheld and other wireless computing devices) and storage and back-up devices.
The other question: if the carrier agrees to restore or replace damaged equipment (or software for that matter), will they pay for improvements to the system? An improvement to security that goes above and beyond what the insured had in place before the claim and which also reduces the chance of a future claim could, in the end, be good for both the insured and the carrier. Some carriers see it this way and will offer to pay up to a certain percentage (e.g. 25%) over what the original property cost if the replacements will improve the security of the insured’s systems.
Social engineering
Phishing, spear phishing, baiting, tailgating…these are all terms in common usage today but it wasn’t long ago that social engineering was nothing like the massive threat it has become. Thanks to the internet — and especially social media — bad actors can collect troves of information that they can use to manipulate victims.
The insurance industry is playing catch-up. Some carriers are meeting this demand with endorsements to their existing policies.
With this coverage, the policy no longer requires that a 3rd party gains unauthorized access via a virus or some other malicious code for coverage to begin. With a social engineering coverage enhancement, if, for instance, an employee is tricked into sending PII or confidential corporate data to someone who is conducting a spear phishing attack on them, coverage would be afforded for the subsequent claim.
3rd party business interruption
Any company that relies on cloud computing or business process outsourcing exposes themselves to the risk that the 3rd party they are relying on will suffer a security breach. For example, when AWS (the branch of Amazon that provides cloud computing services to Netflix and the CIA, to name a few) goes down, it has wide reaching effects on the operations of organizations around the world. A 3rd party business interruption coverage extension would reimburse the insured for any income it lost during the time it had to stop operating because of an attack (or other covered loss) on a 3rd party service provider. Similar to traditional business interruption insurance, it would require a minimum down-time (or “waiting period”) of usually 6 or 8 hours before coverage would begin.
Automatic additional insured status
Not all contracts will require that the other party is added as an additional insured on your cyber policy but this requirement seems to be appearing more and more often. The ‘automatic’ enhancement would give additional insured status to any third party that the insured has a professional services agreement with as long as that agreement explicitly states that additional insured status is required. The carrier won’t offer the extension if there’s no contractual obligation for the other party to be added.