Cyber insurance process becoming more rigorous for certain industry sectors, cyber risk conference hears

The process to obtain cyber insurance may be more rigorous than it has been just a few years ago, even if it is a renewal, a speaker suggested last week at the 2016 International Cyber Risk Management Conference (ICRMC) in Toronto.

Catherine Evans, assistant vice president at Marsh Canada Ltd., said that the process may be more demanding if an organization falls within five main categories that “most insurers these days seem to consider to be higher risk” – retail, healthcare, financial institutions, education or energy. “It’s not that you’re not going to be able to find insurance, but there are some market limitations in terms of which insurers are interested in writing this coverage and which have a good understanding of the needs of those types of insurance,” she said during a session on Thursday titled Cyber Insurance – Avoiding the Pitfalls, held at the Toronto Hilton.

Cyber insurance has changed dramatically over the past few years, Evans said, noting that the contracts themselves and the coverages provided within have become so much broader that “insurers and underwriters need to collect a lot more information to be able to effectively assess a risk. So if you’re an organization that falls within a combination of any of those above buckets, you just need to be aware that the process to obtain insurance might be more rigorous than it has been historically, even if this is a renewal for you.”

Evans also told conference attendees that as the policies themselves have broadened, the questions contained within have become more detailed. “One thing to keep in mind with respect to cyber policy specifically is that upon binding, the policy, the application becomes a part of the coverage, it becomes a part of the policy itself,” she said. “So when you are completing this application, you need to be very accurate in what you are providing, you need to be forthright and you need to be upfront.”

In particular, the broker or whomever is placing the application needs to look at the definition of application within the coverage itself. Evans said that it needs to be constrained so that it only covers the application being completed as well as any documents that are explicitly included within that application. “You don’t want it to reference any other publicly available information or any other public documents that don’t necessarily affect the coverage but that could be pulled in later detrimentally,” she said.

Another important consideration is taking a “very close look” at warranty statements on the application, Evans said. “We find that a lot of insurers are making these warranties, specifically on a cyber application, quite broad.”

The warranty language on an application to be signed needs to be reasonable in scope, and limited to a certain control group within the corporation. “You don’t want to, in the event of a claim, find out that somebody who is fairly junior in the organization knew of something [and] never reported it,” she said. “So those that completed the application would never have been made aware of it, but because a low level individual within the organization knew that it had happened, now the insurer is going to deny the claim.”

If possible, Evans said, limit the application to only a specific group of people, whether by title or by name. “You also want to make sure that the warranty is limited to circumstances that would clearly fall within the scope of the coverage.” She added that at this point, most insurers have not developed specific renewal applications, so upon renewal of coverage, the applicant is still being asked to complete the same long-form application that they would have completed upon the initial placement of the policy.

“Upon renewal, you should not have to complete that same statement,” she said. “We recommend you don’t sign any warranties upon renewal. The same would go if you are moving coverage from one carrier to another.”

But Matthew Davies, AVP – professional, media and cyber liability at Chubb Insurance Company of Canada, suggested that people “pull at least the control group” before switching carriers to “make sure you aren’t going to end up in a situation where you changed carriers… then you have a coverage gap if something happens within a reasonable amount of time that the coverage has moved from one carrier to another.” Davies added that most carriers would want their own warranty statements for those that switch.

There is also “significant interest” in the type of information being held for others. “So if you’re holding health information, financial records, credit card information, or anything that can be deemed as personally identifiable information – so something a little more personal than a name and an address, if you’re holding like this about your employees or clients or third parties – then then that is going to raise some red flags, especially if the number of records that you hold are in excess of 500,000,” Evans said.

She added that there are also going be some significant questions about an organization’s information security program and how mature it is. Even if the program is not as robust as insurers or an organization would like it to be, “as long as you can show an insurer that you are working towards a more mature program or that you have some compensating controls in place for what might be perceived as some areas that are lacking, oftentimes insurers will be willing to work with you.”

More coverage of the 2016 ICRMC

Third-party service providers can be ‘hornets nest’ in cyber security: ICRMC speaker

Cyber insurance underwriters may want to consider less “absolute” questionnaires: ICRMC speaker