1. Do you need this insurance? If you don’t handle personal information or have access to it, you may not need it. However, your customer may insist on it if any type of confidential or business information is involved with contractual services you provide.
2. What type of cyber insurance do you need? Insurance brokers say there is little uniformity in the policies provided by insurers. However, one type of policy can cover only your expenses and/or losses, i.e. damage to your own organization (first party coverage) and the second type covers costs associated with third party liabilities, i.e. claims from other companies. You can also get a combined first party and third party policy for more protection. Make sure your policy limits are adequate—your IT people and a broker knowledgeable about cyber insurance can help you get the right amount. Also check on sublimits (these are usually for crisis management costs, notification costs and regulatory investigations)—you can sometimes get more coverage for such sublimits without a substantial premium increase.
3. Make sure you ask for retroactive coverage—the earliest date possible. Experts say that some cyber attacks found on networks that have been there for months or even a year.
4. Get coverage for loss of data not just theft of data. Negligence can also result in data breach, e.g. employee loses laptop.
5. Make sure your insurance works with your contract indemnities to your customer or your vendor to maximize your coverage.
6. Pay attention to exclusions. Some cyber policies exclude coverage for "any guarantee, warranty, contractual term or liability assumed or accepted by an Insured under any contract or agreement." These contractual liability exclusions are sometimes used by insurance companies to deny claims. If the policy has a contractual liability exclusion try to eliminate it.
7. Ask about the price for coverage for data restoration costs—it can be expensive to restore data.
8. Understand what triggers coverage under your cyber policy, e.g. date of loss or date claim is filed. If you don’t provide timely notice your claim may be barred.
9. Make sure you understand what devices are covered, whether personal devices, home offices, and laptops, tablets and phones are included, and whether coverage applies to unencrypted devices or data offline at time of breach.
10. Make sure your cyber policy works well with your existing insurance policies.
Even if you buy minimal coverage of $1 million, you may get help with response and recovery and legal defense depending on the policy you get. You will get access to those resources at rates negotiated by the insurance company as opposed to the higher emergency rates you’re likely to be charged if you have no insurance. It’s critical to get a good broker who can help you get the best right sized policy for your company.
Contact us if you need help with cyber security contract issues.