The Expert Podcast

Okay, here's an example of a cyber liability insurance policy. This one happens to be written by a company called Philadelphia Indemnity. We're not associated with them; we don't write this policy. We're just using it as an example. This is not designed to disparage them in any way. This is actually pretty good-looking coverage. This is pretty standardized coverage. If you're looking for a cyber policy, they're worth checking out. Doesn't seem like there's anything out of the ordinary for this policy, but we're mostly looking at this to give you an example of what is coverage is.

And even if you don't buy a cyber liability policy, you should take a look at your coverage for all of your insurance. If you have business liability, if you have professional liability, errors and omissions coverage, any type of insurance you have—you should look at these policies. You have these documents to know what's covered and not covered, because you may find that there are things that you're covered for that you don't need, you can exempt from coverage, and maybe lower your cost. You might also see that there's gaps in your coverage, and you might want to add on endorsements that cover you.

So always look at these policies. Look, it's not exciting reading. It's not like reading, you know, a novel. This is kind of boring stuff, but this is the stuff that stands between you and financial devastation if you have any type of nominal event that's not going to help your business. So that being said, again, this is—you know, not picking on them as good or bad—it's just, this is an example of coverage.

So first of all, what is your coverage? Loss of digital assets. We will indemnify for loss you incur in excess of the applicable deductible. That's normal. Every policy has a deductible. Anything over the deductible you are covered for, including special expenses, which they'll talk about, as a direct result of damage, alteration, corruption, distortion, theft, misuse, destruction of your digital assets—if it's directly caused by a covered cause of loss.

So digital assets—they describe what those are, and it's everything you think it is. It's hard drives, it's data, it's records, it's computers, it's analysis, it's research. If you lose those things, they cover it, and they'll indemnify for the loss. Now, a couple of things to keep in mind—as a result of these things: damage, alteration, corruption, distortion, theft, and misuse—there are some things that could cause that that aren't covered, and we'll take a look at what those are.

The covered loss must first occur and be discovered during the policy period. There's two types of coverages: there's claims-made coverage and policy coverage. So if it's discovered during the policy or discovered after the policy, you want to make sure you understand the language of your insurance policy as soon as possible. In no event, no more than 60 days after the expiration. So if you cancel your coverage or you're non-renewed, you can still report it after 60 days.

So what about business interruption? We will reimburse you for income loss, interruption expenses, and special expenses. So if you have to go rent another office space, if you have to go buy new computers, if you lose income, they will cover for those special expenses—and you should read your policy to see what those are. Same thing—covered cause of loss must occur within the policy period.

Cyber extortion threat—this is that ransomware we talk about. We reimburse you for the extortion expense and extortion monies in excess of the deductible paid by you and resulting directly from any credible threat that included demand for money for your data. That's the biggest thing that's newsworthy—cyber extortion, ransomware. However, extortion money shall not be paid without prior consultation with us—meaning the insurance company—and without their written consent. You must make every reasonable effort to notify local law enforcement, FBI, before surrendering money.

So they'll cover it, but they're not just going to say, "just throw the money out the window." We will reimburse you for security event costs so that if you have to comply with any statute, rule, regulation to notify people, if you have to spend money to minimize harm to your brand from adverse media reports—this is interesting coverage. So if there's a security event, even if it doesn't cause a loss, if you have to spend money to keep it from being a loss, they'll cover that—and special expenses.

What about network security? We will pay on your behalf arising from errors from a security breach. What this means is that if your network is breached and it causes damage to others, in some cases they'll cover that.

EPLI—Employee Privacy Liability Insurance—different. I'm sorry, this is a different definition of EPLI. We will pay on your behalf damages for a privacy breach. So if you have employees whose personal information is breached, they'll cover the damages that creates.

Electronic media apparel—the electronic media are things like hard drives, drives, DVD, DVD drives—things that are electronic media. They also have a coverage for income loss because of cyber terrorism. But there's some exclusions for that—we're going to talk about.

Covered cause of loss—these are the things that cause the loss: accidental physical damage, failure in power supply or overvoltage only if the power supply is under your direct operational control. So if you have power coming in from outside your control, it's not going to be covered. Accidental, unintentional, or negligent modification of electronic data—so somebody pushes the wrong button and deletes your data—covered. Computer crime, mistake, negligent error, denial of service, malicious code, unauthorized access, hacking—covered.

Let's take a look at claims expense. This is coverage for legal costs. That's important. You might have to pay money to an attorney to have them defend you in court if somebody sues you because their personal information got out. Appeal bonds if you have a judgment against you.

Let's take a look at damages. This is what's covered for damages—future profits, restitution, returns, refunds, an offset of fees—meaning that if you have to give money back to clients. Liquidated damages because you breach the contract. Matters which may be deemed uninsurable under the law under which this policy is construed—those are damages that are not included.

Think about that. All these things are not part of your coverage. Why is that important? It makes it more important to prevent something happening in the first place, because any of these things are going to be out of your pocket. If you have to redo work for a client—not covered. If you have to discount future business for a client—not covered.

Not included—electronic media means things you put online, electronic data—if it directly results in libel, slander, invasion of privacy, plagiarism. So that's what the definition is. Some of it's covered, some of it's not. And that's what's important to understand is what is not covered.

Here are the exclusions. These are pretty standard exclusions on a cyber policy. We will not be liable for expenses if any failure of the utilities was outside of your direct control, including blackout, brownout, surge. So if your power company sends a thousand volts and zaps all your stuff—not gonna be covered under your policy unless you have an endorsement back for this.

Any seizure, destruction, or damage because of a governmental authority—meaning that if the government has anything to do with this, you're not covered. Physical damage—fire, smoke, lightning, wind, flood, earthquake—well that's normally going to be covered under your GL policy, but some business policies don't cover volcanoes and earthquakes, so that might be something that isn't covered at all.

Keep in mind though that if you take the advice of your insurer for the best practices of protecting your data, you're less likely to lose it if an earthquake happens. Because if you protect it from hackers by putting it on a separate server or having redundant backups—whether a hacker gets it or the earthquake gets it—you're going to be covered. You're going to be protected.

Here's the most important one—it's not covered. This is an exclusion: if you don't ensure your system is reasonably protected by security practices equal or superior to those disclosed in the proposal. See, that's important. The proposal is what you and the insurance company agree on are your responsibilities for protecting your network.

And it's defined right here: the proposal means your signed application and any attachments submitted in connection with the underwriting of the policy. And what that means is you are agreeing to do certain things in order for them to be convinced to sell you a policy. So taking their advice not only is a good idea, but also—you have to do it to get coverage.

Another thing that's excluded is any loss that was committed prior to the inception date that any knowledgeable person knew or could have foreseen. So if you know that your computer system is not secure and you keep having people log into it or hack into it—even if they don't cause damage—if in the future they do cause damage, you might not be covered because you knew that that could have happened.

Any loss that you previously noted to any prior insurer—not going to be covered. Terrorism—not covered. Also, environmental damages. So if your computer system gets hacked and it releases nuclear radiation into the atmosphere—not covered.

It doesn't cover ordinary wear and tear—like something breaks, that's normal. It also doesn't cover the rendering or failing to render professional services. So if you are not able to get professional services, that's not going to be covered.

Most important is—if you or your employees do anything dishonest, fraudulent, or criminal—not gonna be covered. It's not gonna cover you if you make guarantees to a contract that you can't fulfill. If you can't get a bond or insurance, it's not going to cover that either.

The bottom line is that even if you have a cyber liability policy, it's going to have exclusions. The exclusions in your policy may be completely different from this example. However, there's going to be exclusions—and some of them are going to be pretty substantial.

However, the insurance company that writes this policy for you—when they do your proposal—they will tell you how to avoid losses in the first place. And if you follow their guidelines to the letter, you're going to be less likely to have losses that are excluded to begin with, or any losses for that matter.

And what will happen is, after two or three or five years where you don't have any losses, and you're at the low end of their cost spectrum compared to other insureds, it's going to be easy for you to get coverage. Because you may remember when you obtained any of your prior insurance policies—even for fire or cyber or for general liability—one of the first things they asked for is loss runs. They're going to ask you: Did you have any other insurance claims? And normally you would say no or very minor.

Any future cyber liability policies, either with this company or anybody else—they're going to ask for loss runs. So avoiding loss runs in the first place will go a long way in keeping you in good graces with the insurance industry so you can have good coverage if this market gets more difficult or if there's more damages in the market that cause insurance companies to avoid writing coverage unless it's somebody they have experience with, have a history with as a company, and they know that you're following their guidelines.

In the first few years of fire insurance, back in the early 1900s and even late 1800s, insurance companies sent inspectors to the companies and buildings on a regular basis to make sure that there were fire extinguishers, the exits were open, there was not oily rags next to the heater. And they made sure that things didn't exist that were fire risks.

They may do the same thing with cyber liability. If you already have these things in place, you won't have to scramble around to figure out what they are after the fact.