Dear Council Members,
As a follow-up from our 6/13 meeting, below is a summary of the considerations for evaluating the cyber policies held by your vendors. Thank you to Josh Ladeau, CEO of Trium Cyber, and Sidney Prasse, Partner at McGill, for sharing these and other insights at the council meeting.
1. Cyber Carrier
-
- Look for a policy with a well-stablished cyber carrier; there are a lot of new entrants because of the growth in this market and products are not homogenous
- Experienced with cyber claims
- Offer clients a “breach response hotline” that acts as the emergency response mechanism for a cyber event
-
-
- This typically is an “800” number that establishes contact with an experienced breach coach within just a few hours of when an organization becomes aware of an event
- In addition to a “breach coach” attorney (such as Mullen Coughlin), this mechanism brings together notice and credit monitoring vendors (such as Experian or TransUnion), data forensic vendors, public relations specialists, ransomware payment vendors, etc
2. Stand-alone vs blended policies
- In many cases, an “employing entity” may require a vendor to purchase an insurance policy(ies) to cover not only cyber, but also technology and/or miscellaneous professional services.
- Some insurance companies offer cyber but do not offer technology e&o, or vice versa. Vendors required to buy both cyber and e&o can address the insurance requirement with two stand-alone policies which will each have their own aggregate limit of liability.
- Other Insurers write both cyber & tech/mpl e&o, and generally, will combine all those coverages into a single policy with a shared aggregate limit.
- A key benefit of the stand-alone policies is that there are dedicated limits for each exposure (tech/MPL vs Cyber, with for example, a $1M aggregate on each policy, for a total of $2M in aggregate coverage).
- However, it is possible, perhaps likely in many cases, that a cyber event could implicate both the tech policy and the cyber policy simultaneously. As there may be valid coverage under both policy (issued by two separate insurers), there can be conflict in determining which company covers which aspects of the loss. That multi-company adjudication process can add complexity and delay to a claim, and potentially complicate a payout to the insured.
- A key benefit of the stand-alone policy is that there is no potential for coverage disagreement between cyber and tech/mpl e&o; the insurer is simply deciding to which bucket they want to allocate a loss vs arguing with another insurer as to who covers what parts of a claim.
- In the case of a blended policy, a $1M aggregate would be the maximum payable across both cyber and technology losses. A stand-alone policy would provide $1M of limit for each exposure, with a maximum payable value of $2M.
- It’s generally advisable to require a blended policy for tech/mpl and cyber, where possible, to eliminate the potential of conflict between insurers. There are times when an independent policy is advisable, and the commentary herein is really intended to create awareness of the potential drawbacks/advantages of standalone vs blended policies.
3. Deductible/Self-Insured Retention (SIR) structure
- Deductibles/SIRs are one consideration for insurers that can impact pricing of a policy. The higher the deductible/SIR value, generally, the cheaper the policy.
- Smaller businesses may purchase a policy with an SIR option that is above their ability to actually pay in the event of a claim, in order to reduce the expense of a policy they are buying solely/largely in response to contractual requirement.
- As payment of the SIR is a requirement of virtually all insurers as a prerequisite to payment under the policy, it’s important that there is a reasonable relationship between the size of the SIR and the size of an organization’s annual revenue/ability to pay.
For more information regarding the HITRUST announcement of the new cyber insurance product, please visit HITRUST Announces Availability of New Cyber Insurance Product Exclusively for Its Customers (hitrustalliance.net)