Just like any other services agreement, a cyber insurance policy should be written to reflect the particular needs of each insured. Below is a list of important issues to consider when negotiating with your insurer:
1. Coverage for Data Compromise: in the event of a data breach that includes the theft or unauthorized disclosure of personal information, this coverage assists the insured with complying with data breach notification laws (in all 50 states), as well as providing services to affected individuals such as credit monitoring services or guidance that minimizes potential damages/threats. This coverage does NOT include repairs to any equipment, networks, or machines.
2. Reimbursement for Regulatory Fines & Investigations: following a breach, certain regulatory agencies (such as the SEC or FTC) may conduct investigations. Depending upon the outcome, regulatory agencies may impose fines and penalties, all while necessitating that investigated entity defend itself and incur legal expenses to do so. Request coverage for such occurrences.
3. Choice of Vendors: if your business has a preferred law firm, IT or managed service provider for your network, ensure your cyber insurance policy allows your business to select your preferred vendors. Inviting new professionals into your business following a catastrophic event is often inefficient and may slow the recovery process.
4. Vendor Negligence and Indemnity: businesses that outsource any data security, storage, or IT services should undoubtedly have such third-party services covered by the cyber policy (the vendor should also have its own policy). Additionally, businesses should negotiate with the insurer to eliminate language requiring that it recover damages from the vendor prior to collecting insurance benefits, while contemporaneously requiring indemnification from its vendor in a separate agreement.
5. Request a Waiver of Subrogation: this may be a big ask. However, ask that the insurer include an endorsement in which it waives its right to claim its subrogation rights have been impaired by any other contract that the business entered into before the loss occurred (such as liability being limited by a data storage provider).
6. Retroactive Coverage: data breaches often occur long before they are discovered, resulting in coverage being declined once forensics reveal that the leak originated prior to the issuance of the policy. Request a retroactive policy with the earliest possible coverage availability date.
7. Coverage for Business Interruption: this is a fairly normal inclusion, but businesses should seek to expand this coverage not to just its own networks, but also to those upon which it relies. If your primary source of operations is a third party, and it crashes, can you operate?
8. Don’t Over Promise: an insured must know, attest to, and complete its due diligence efforts in order to expect the insurer to provide the promised coverage. This may include routine network assessments and vulnerability tests. Failure to adhere may cost a business its coverage despite consistent premium payments.
There are several different cyber insurance providers. Shop around and don’t be afraid to get help in your negotiations.