For many firms, cyber liability insurance provides critical protection from financial loss stemming from a cyber incident, from legal damages and business interruption, to crisis management and investigation expenses. But as it's a relatively new, evolving, and very specialized type of insurance, businesses must exercise due diligence when shopping around for a new policy or looking to renew their coverage.
Chetan Sehgal, Partner and BDO Leader, Forensic Insurance Services, has five practical pointers for leaders:
1. Hidden vulnerabilities typically come to light only after a successful attack. Conduct a risk assessment of your control environment and develop a prevention program—or work with a firm that can—to purchase the most appropriate plan for your needs. A cybersecurity and forensics partner like BDO can also conduct a cost-benefit analysis to identify your blind spots so you can focus your insurance coverage on those areas, or, better yet, remove those blind spots prior to applying for insurance to avoid denial of coverage or high premiums.
“Once you understand your control environment, you can request quotes from several different underwriters to compare coverage options and conduct proper due diligence on not only the policy, but the insurance company.”
2. Work with your insurance broker or underwriter to ensure the policy fits your type of business and that you're fully aware of what's covered—but more importantly, what isn't covered.
“Review various cyber insurance options, familiarize yourself with the policy, and ask the right questions. We recommend that you be very mindful when selecting a policy to make sure it will apply to your situation. Work with experts who specialize in cyber insurance and have experience in your industry and geography to ensure you are getting the best possible advice.”
3. Also, select a response team you trust.
“If you've had a breach, it'll throw you into utter chaos as you try to be as operationally viable as you can. Dealing with an underwriter and other advisors you're comfortable with will make that process as smooth as possible. An effective response to a cyber incident is one that has been devised as part of contingency plan strategies and risk management. You need to have a team in place that can help you respond on short notice, including legal counsel, cyber breach professionals, and claim consultants or accountants.”
4. Take time to understand the policy fine print. Insurance policies aren't created equal and with cyber insurance being a relatively new product, many buyers aren't aware of the pitfalls associated with these policies.
“Some insurance companies will conduct an assessment before they provide you with a policy and premiums. You have to understand what you're signing up for and what your responsibilities are to protect yourself. As the loss ratios on cyber claims have skyrocketed in the past year, the amount insurers cover appears to be declining while premiums are rising.”
5. Implement a comprehensive suite of cybersecurity controls and protections.
"Some clauses in insurance policies state that unless it can be determined that an organization had the right preventive controls in place, they will not issue a payout. Also, the more robust your controls are, the lower the risk of a breach, and that's going to affect the premiums you pay."
Reactive and proactive cybersecurity measures working together
Above all, business leaders must not lose sight of the fact that cyber liability insurance is a reactive solution and does not prevent an attack from happening. That's a serious gap—because loss from cyber crime isn't just financial; it brings disruption to organization's culture, operation, and reputation.
That means insurance is only one piece of the cybersecurity stronghold.
"Insurance is important because cyber attacks are happening more often, and it allows you to recoup some of your losses—but the bigger piece of it is prevention and addressing the root cause, which is plugging the holes in the potential for those attacks. You can't rewind if data is exposed," observes Michael Macdonald, BDO Senior Manager, Forensic Disputes & Investigations.
Businesses that double down on developing a well-designed business network defense strategy, securing their endpoints, and launching proactive detection and response mechanisms are better primed to recover with minimal damage.
How BDO can help you understand your cyber insurance needs
From quantifying the post-incident losses to proactively helping you understand the appropriate level of coverage, BDO can support your business throughout the insurance cycle.
We often get retained to deal with post-incident response, but our counsel doesn't stop there. Our cybersecurity and digital forensics team can help fortify your organization using proactive tactics that include focusing on employee awareness and training, conducting due diligence on your company's preventive controls, and quantifying risk to help you ensure the cyber insurance policy you choose meets your needs.
The value of working with BDO includes: