'Confusing as hell': Making sense of cyber insurance
Sharon Nelson (left), president of Sensei Enterprises, and Judy Selby, a cyber insurance consultant and lawyer, speak during the panel “Cyberinsurance: Necessary, Expensive and Confusing as Hell,” on Friday morning at the ABA Techshow in Chicago. (Photo by Saverio Truglia.)
When it comes to managing a firm’s cybersecurity risks, password regimens and encrypted backups are not enough. You need cyber insurance.
A Friday morning panel at ABA Techshow entitled “Cyberinsurance: Necessary, Expensive and Confusing as Hell,” attempted to demystify the nascent cyber insurance field while underscoring how vital it is to have some sort of insurance policy in place in case of cyberattacks. Panelists Judy Selby, a cyber insurance consultant and lawyer, and Sharon Nelson, president of Sensei Enterprises, laid out the case for the insurance and the challenges of understanding it.
No matter how good your cybersecurity infrastructure may be, “it can’t stop it all,” said Nelson. She argued that cyber insurance is necessary, “because you are managing an enormous risk.”
Providing background on the relatively new area of cyber insurance, Nelson quoted a PricewaterhouseCoopers report that found one-third of businesses have a cyber insurance policy. Additionally, she noted that policies are being offered by upwards of 60 insurers.
At the same time, according to the 2017 ABA Legal Technology Survey, 22 percent of solo and small firms reported a data breach—an increase compared to the previous year, when 14 percent of such firms reported a breach. For many, this can be devastating. According to Nelson, it has been reported that half of all small businesses close within six months after a breach.
Cyber insurance varies, but these types of policies can often cover first-party contingencies like legal, forensic, notification, credit monitoring and breach coach costs. It may also cover business interruption incurred by the insured or contingent business interruption, which provides coverage when a third-party service provider that the insured relies on, such as a cloud storage vendor, cannot operate because of a cyber incident. Policies may also cover data restoration, extortion, denial of service attacks and social engineering attacks.
Some policies will cover third-party contingencies like privacy and network liability, public relations, regulatory liability, fines and payment card issuer liability.
With growing demand and offerings, the cyber insurance market is still new, or a “soft market” in the terms of the presenters. This means that prices vary and terms and exclusions in cyber coverage are not standardized across the industry.
“No matter what two polices you’re looking at, it’s apples and oranges,” said Nelson.
This includes ubiquitous terms like “cyber incident” or “social engineering,” which will be defined by the insurer in their own idiosyncratic way. To this end, both say it is important to read through potential policies with an eye toward detail and definitions.
“When the question is ‘are we covered for X or Y?,’ you never want the answer to be ‘maybe,’ ” said Selby.
Nelson believes that $1 million is the minimum coverage a small firm should seek. If a firm is dealing with more regulated data, like health care or particular financial documents, then she says $2 million in coverage is reasonable.
While navigating a new insurance market may seem daunting to the uninitiated, the panelists recommended finding a cyber insurance broker to help make sense of terms and coverage and find the appropriate plan.
As well, they add that these policies are open to negotiation to secure the right terms and meet the needs of the insured.
“You’re not entirely helpless,” said Nelson.
Follow along with our full coverage of the 2018 ABA Techshow