It pays to forge better ties with your cyber insurance agent.
That’s becoming abundantly clear for big businesses and small enterprises, at a time when relationships with cyber insurance companies seem more acrimonious than ever and policy holders are running into costly disputes. Witness the rash of bitter lawsuits that made headlines in just the last several months:
- The University of California filed suit last month against Lloyd’s of London alleging the insurance marketplace refused to negotiate or cover claims related to a cyberattack nearly 10 years ago in which the records of more than 4.5 million patients were exposed.
- Raleigh Radiology sued Arthur J. Gallagher in April, alleging the insurer hadn’t informed the company its cyber insurance policy had lapsed shortly before a ransomware attack took down its network, resulting in more than $1 million in damages.
- A New Jersey appellate court recently ruled that insurers must pay $1.4 billion to pharma giant Merck & Co. for damages incurred in the 2017 NotPetya virus attack. Because the attack was attributed to Russia’s military intelligence operations, the insurers had argued coverage did not apply as it fell under a warlike-act exclusion. An appeals court rejected that position, concurring with a lower-court ruling in 2021.
- Mondelez International and Zurich American Insurance last October settled a similar NotPetya-related case in which Mondelez, the food and beverage multinational that owns Oreo cookies, Ritz crackers, and Philadelphia cream cheese, said it suffered upwards of $100 million in damages. Settlement terms were not disclosed .
Yes, some disagreements like these are bound to occur no matter what insurers and policyholders do, because of the still-developing nature of cyber insurance products and the constantly shifting threat landscape. But building a strong relationship and enhancing clear lines of communication with your insurer can help head off potential conflicts and litigation. Here are five key steps toward that goal:
1. Designate a risk officer
Not every company is big enough to do this. But Lewis Guignard, director of data solutions for Guidewire, which sells policy and claims management software to the insurance industry, recommends anointing someone to oversee all risk management, including property, workers’ compensation, cybersecurity, and everything else.
Enlisting a broker who can have the right conversations with you about cybersecurity is critical.
This person would be the one dealing with insurers and would also be responsible for assembling the right teams for planning and incident response issues.
2. Find the right cyber insurance agent
Do not assume every cyber insurance agent is the same. Pete Hedberg, vice president of underwriting for Corvus Insurance, which sells cyber insurance, says brokers are “generalists” handling multiple types of insurance, with cyber just one of them. In other words, they may or may not have the security expertise you really need.
“Enlisting a broker who can have the right conversations with you about cybersecurity is critical for this type of product,” he says.
3. Understand your policy
Cyber insurance is arguably the least understood product in the insurance market today because of the opaque nature of cybersecurity itself, which many enterprise leaders struggle to comprehend, and a plethora of cyber insurance myths and misunderstandings, which frequently dupe executives into forgoing cyber insurance entirely.
On the flip side, the purchase of cyber insurance doesn’t mean you are home free. No two policies are the same. Like homeowners’ contracts that lack fire, flood, or earthquake coverage, cyber insurance does not protect against every imaginable scenario. You need to understand what’s included, what’s excluded, and where the gray areas lie, because those can lead to big problems down the road.
4. Have a cyber-incident response plan
Hedberg also recommends having a step-by-step guide for what you will do in the event of a cyberattack. This is especially important given a recent Corvus report showing ransomware attacks are making a strong comeback after a bit of a lull in 2022.
Overall, ransomware attacks in the early months of 2023 were up 60% from the same time a year ago, the report found. More alarmingly, though, there was an 800% surge in attacks against telcos, a 700% spike in the healthcare sector, and a 220% jump involving government agencies.
Given these statistics, having a specific incident response plan is essential for any enterprise. The guide should include engaging your cyber insurer as a very early step. The cyber-incident response plan should also specify other key players to call, what information to share, and lay out how you’ll work with involved parties over time.
Critically, it should be continually updated. Devising the best-ever plan and letting it gather dust on some shelf would be a huge mistake, Hedberg adds.
5. Stay in regular touch
The best way to ensure a solid relationship and avoid misunderstandings is to have ongoing and candid conversations with your cyber insurance broker. Discuss any coverage concerns and ask questions. Work with them to adjust your policy as needed, and make sure they agree to alert you to looming changes and expiration dates.
“Interaction with your agent is going to significantly boost your understanding of your cyber insurance product,” says Hedberg. “Engagement drives enlightenment.”
To learn more
Check out the first installment in this two-part series, which details some unexpected benefits of partnering with your cyber insurer, and these other cyber insurance resources: