Brokers should look for these three things in a cyber insurance policy

Cyber insurance policies still tend to be confusing for brokers, but there are three areas that they should focus on, recommends Nathan Rose, senior underwriter and business development specialist with Burns & Wilcox Canada.

This includes: 1) policies that have encryption exclusions related to mobile devices; 2) retroactive cover; and 3) voluntary notification, Rose told Canadian Underwriter in an interview Wednesday.

1. Encryption exclusions related to mobile devices: Some policies will exclude coverage if the organization’s mobile devices are not encrypted. Encrypting these devices is sound risk management and should be standard practice. “It’s not always the case,” Rose warned, adding that he believes coverage should not be contingent on that being done. As well, a larger company will likely have solid risk management procedures and understand the need to educate employees about the risks of unencrypted devices, but a smaller company may be a little more relaxed. “Always draw [clients’] attention to that: The need to actually encrypt devices,” said Rose, who was a Lloyd’s broker for over 10 years. “I would always say don’t exclude it as a result.”
2. Retroactive cover: Some policies will exclude coverage for claims that an insured would have reasonably foreseen (due to inadequate security measures in place before a certain date). However, it can be difficult for an insured to say they’ve “got security measures in place, but I didn’t prior to this date,” Rose said. Brokers in this case should look for “full prior acts” policies or those that are triggered by the “discovery of a network event” rather than retroactive cover.
3. Voluntary notification: Consider the mandatory breach reporting under the Personal Information Protection and Electronic Documents Act (PIPEDA). Generally, these types of regulations require businesses that lose personal data to provide written notice to all individuals potentially affected. But even without a legal obligation to do so, the trend is moving toward reporting a breach even if it couldn’t necessarily be proven to protect a company’s brand or reputation. “So, a notification before they’re mandated to do so,” Rose said. “Not all cyber policies will cover that cost.”

The various differences between cyber insurance offerings make it difficult for brokers to actually draw true comparisons between wordings, Rose said. “You have to really scrutinize a lot of the wordings. It’s [sometimes] the same coverage, but it goes by different terms and different names.”

To help brokers navigate the space, the managing general agency “draws comparisons to some wordings when we give our terms” in the underwriting process, Rose explained. “So when they’re in front of their clients, they are confident, they have a solid product offering and something suitable to their insured’s needs.”