Buying a cyber policy? Make sure it’s retroactive

When it comes to cyber insurance policies in Canada, retroactivity is noticeably absent from coverage, a cybersecurity expert told Canadian Underwriter Tuesday.

Consider the following example: unbeknownst to a business, malware had existed in the organization’s computer system since November 2017. On Jan. 1, 2018, the company bought a cyber insurance policy. The company later discovered the malware, but coverage was denied because of retroactivity, meaning the malware was in the system before the policy was purchased.

Standard insurance policies do not support retroactivity, said Kevvie Fowler, partner, cyber risk with Deloitte Canada. But “if it’s a large enough policy,” insurers may be willing to insert a clause to support it. For example, a policy may state coverage is in effect retroactive two years from the date of signing.

“If it’s a bigger policy, you can have them make a non-standard change,” Fowler said. But in terms of just being offered by default, retroactivity is the biggest thing that is missing.”

Complicating the issue of retroactivity, it usually takes organizations close to 200 days to notice or detect a breach, although that number is shrinking. “So people who sign up for policies basically cross their fingers and hope for 200 days that nothing has happened before the policy takes effect,” Fowler said.

Company executives, particularly the chief information officer or chief information security officer, should be aware of the retroactivity issue before the time of a policy purchase. Otherwise, said Fowler, “You go to the board and you tell them you just got a cyber insurance policy of millions of dollars in coverage. Then, when something happens, you have to go back to the same group and tell them, ‘Look, we are not covered.’ It makes it look like you haven’t done your homework and due diligence.”