Scrutiny ratchets up of companies' cyber insurance, practices

Underwriters now take a fine-toothed comb to commercial cybersecurity practices, and regulators are starting to do the same.

Companies should expect that regulators and agencies will be more active role following a cyberattack. Fortunately, despite reductions in coverage, insurance can help mitigate costs arising out of a cyberattack, as well as defense costs incurred for claims from a cyber incident. (Credit: Shutterstock.com)

By June 2021, the total value of suspicious activity associated with ransomware transactions for the year exceeded the total value reported during the entirety of 2020, according to the U.S. Treasury Department.

Though standalone cyber insurance policies are new in the industry, they have grown in the last decade to account for increased risks and corresponding insurer and regulatory scrutiny. According to a December 2020 National Association of Insurance Commissioner’s Report, premiums in cyber policies totaled $3.15 billion, doubling since 2015, and demand for standalone policies increased 24%.

The landscape of standalone cyber policies has transformed, and companies must review their existing or proposed cyber coverages carefully.

Increased insurer scrutiny

Recently, insurers have been limiting coverage, charging more and changing underwriting standards. At renewal, some insurers have required that companies increase their protections, such as by requiring multifactor authentication; answer more questions about security measures, including supplemental ransomware-related applications; and maintain higher baseline safety measures and controls.

Where a policyholder obtains a cyber insurance quote, they may find that coverage offered is different than before. Some major domestic cyber insurers have added ransomware sublimits or coinsurance provisions, meaning that coverage for all ransomware-related losses are limited to a lower limit than other policy coverages or that the policyholder will pay a proportion of all ransomware-related losses, with some policies requiring the policyholder to pay 50% of all such losses while the insurer pays the remaining 50%, subject to a sublimit.

In response to loss ratios over 100% (meaning insurers paid out more in claims on policies than premiums written), some other insurers have issued endorsements at renewal that seek to limit coverage for “widespread events,” or those that may impact many different insureds, such as the recently discovered Log4j vulnerability. Even Lloyd’s of London has suggested major changes to coverage, including proposing four exclusionary endorsements that attempt to limit or preclude coverage for otherwise covered losses arising out of actions “by or on behalf of a state to disrupt, deny, degrade, manipulate or destroy information in a computer system of or in another state.”

Increased regulatory scrutiny

Regulators have also begun to crack down on companies’ cybersecurity disclosures. In June 2021, the U.S. Securities and Exchange Commission (SEC) fined a company because, despite seemingly prompt disclosure, the SEC concluded that the company failed to maintain required disclosure controls and procedures.

In addition, the New York Department of Financial Services recently charged companies under 23 NYCRR Part 500, which established cybersecurity requirements for certain financial services entities. The Federal Trade Commission also regularly investigates and takes action against companies that fail to meet promises to consumers regarding safeguarding personal information. And the Department of Justice recently announced its intent to utilize the False Claims Act to pursue cybersecurity-related fraud by government contractors and grant recipients.

Companies should expect that regulators and agencies will be more active role following a cyberattack. Fortunately, despite reductions in coverage, insurance can help mitigate costs arising out of a cyberattack, as well as defense costs incurred for claims from a cyber incident, and at times, settlements, and judgments.

Analyzing coverage

Because the market is rapidly changing, policyholders should not expect that they’ll be offered the same coverage at renewal. Policyholders should start their renewal process earlier going into this year’s renewal so they have time to analyze new pricing, as well as new endorsements that may limit coverage and consider alternative forms, insurers, and policies to maximize coverage.

Along with auditing cyber insurance policies to determine the extent of coverage following a cyberattack, companies should be looking to their other policies that may provide coverage following a cyberattack — errors & omissions, general liability, kidnap, ransom & extortion, crime, directors & officers, and sometimes commercial property policies.

When purchasing or renewing policies, companies must look at their program as a whole to ensure there are no gaps in coverage for costs and liabilities the company may face after a cyberattack. While policies are meant to work together, actual coverage afforded across a company’s insurance program can lead to a patchwork of policies resulting in coverage limitations or gaps in protection for cyber-related exposures. Care must be taken to fill these gaps at renewal.

Below are a few tips that corporate policyholders should consider in analyzing their coverage:

The coverage gaps above are just a few traps for the unwary insured. Companies are best served by working with experienced insurance coverage counsel and insurance brokers to analyze coverage and fill gaps so as to maximize coverage for the company, board, and executives in the event of a cyber incident.

Walter Andrewsa partner and head of Hunton Andrews Kurth’s insurance coverage practice, focuses on complex insurance recovery, counseling, arbitrations, litigation and expert witness testimony.

Andrea DeFielda partner at the firm, finds risk management, risk transfer and insurance recovery solutions for public and private companies. DeField counsels clients on all types of insurance policies and coverage issues, with particular experience in cyber insurance (including ransomware, large scale data breach, and social engineering claims); directors and officers liability and professional liability insurance issues; hurricane claims; and commercial general liability insurance disputes, including those arising out of construction defect claims, wrongful death, and pollution incidents.

Sima Kazmir, an associate at the firm, is a proactive commercial litigator whose practice focuses on complex consumer finance, insurance coverage and business litigation.

Related: