Organizations considering standalone cyber coverage should evaluate risk profile to see if traditional policies are adequate: RIMS

Organizations considering standalone cyber coverage should carefully evaluate their risk profile and determine whether more traditional policies provide adequate coverage, suggests a newly released report from RIMS, the risk management society.

The report, authored by Teri Cotton Santos, a member of RIMS External Affairs Committee and senior vice president, chief compliance and risk officer at The Warranty Group, explores the potential for traditional policies to cover cyber events, as well as first-party coverages, third-party coverages and additional needs. The report, titled Cyber Insurance: Considerations for Businesses and released on Wednesday, also provides a series of potential cyber insurance nuances that risk professionals must consider.

“Insurance providers are challenged with trying to keep pace with the evolving cyber landscape and develop products that help clients protect their organizations,” Santos said in a statement from RIMS. “Working closely with your broker can help insureds purchase coverage that addresses key risks to the organization that can result from a cyber event.”

The report suggested that organizations that do not purchase standalone cyber policies may look to more traditional policies like commercial general liability (CGL), property or crime to provide coverage for cyber-related events. And in some cases, courts have agreed with the insured. For example, in Travelers v. Portal Healthcare Solutions, a court found that the insured’s failure to secure a server, which resulted in the availability of personal health information online, was a “publication” under the personal injury and advertising provision of the insured’s CGL policy. As such, the court held that the insurer had a duty to defend the insured. In other cases, courts have found that computer system failures due to physical damage were covered under property policies.

“However, coverage under such policies may diminish in the future as insurance companies write cyber risk out of traditional policies,” the report said. “The trigger for cyber coverage is typically loss or a claim arising from either a security failure (due to a break in to the insured’s technology systems) or a privacy event relating to the unauthorized access or loss of personal information. These loss causes are ordinarily not covered by property of general liability policies, which is why companies seek standalone coverage.”

There does remain some gaps in cyber coverage that insurers must address, the report said, using the example of large data aggregators with massive amounts of personally identifiable information that present a “unique and potentially costly risk and cyber limits have not yet caught up. Insurers need better information to respond to risks related to emerging technology such as the Internet of things, driverless cars or wearable medical devices.”

Another area of large exposure is in those industries where business interruption is of greater concern than breaches of personal information such as utilities, manufacturing and transportation, Santos suggested in the report. Finally, industries where the value of the lost information is most critical, such as defence contractors and research labs, are generally excluded from today’s cyber policies.

According to the 2016 RIMS Cyber Survey, 80% of respondents had purchased standalone cyber insurance policies, up 29% from 2015. As well, 25% of respondents reported that their organizations purchased cyber insurance as a result of contractual obligations, up 17% from 2015.