As cyber liability continues to infiltrate all businesses great and small, policies have become more affordable and easier to place as coverage options have expanded to respond to increasing threats and exposures.
How should you go about securing cyber coverage for your agency? Here are a few tips to keep in mind.
In many classes of business, cyber liability is combined with an E&O policy. The strategy makes sense for an industry like software development, where “it’s almost necessary that the two are on the same policy because the exposure could be one in the same,” explains Brian Thornton, president of ProWriters.
But “as you get to other traditional professions, policies may be silent on it or may have an explicit exclusion for data breaches,” Thornton says. “Or they may separately underwrite it on a separate policy or they might have a separate endorsement for it.”
That means an independent agency that believes it has true cyber coverage under its agents E&O policy is probably mistaken, Thornton says. “Even if it potentially picked up some liability or defense, it wouldn’t be covering all those first-party costs unless they’ve truly addressed it with a robust endorsement,” he explains. “They could certainly be left hanging if they thought it might be covered under the E&O.”
In addition to coverage gaps, insuring cyber and E&O under the same policy can erode limits for either risk. “You’re going to find a much more robust policy in a separate policy because they won’t be sharing limits,” says Alex Wayne, executive vice president at A.J. Wayne & Associates, Inc. “In some cases, add-on coverages don’t provide decent limits with regard to first-party coverages like notification and credit monitoring.”
Insuring cyber on your agents E&O policy can also have a seriously negative impact on your agency’s E&O loss ratios. “Cyber is an unknown exposure, so you could be ruining your loss ratio for your E&O,” Wayne says. “If a cyber event ruins that loss ratio, it could increase their cost for agents E&O for years to come.”
What to Look For
The number of companies offering cyber liability insurance is constantly expanding—making it difficult to nail down the best option for your agency. Laird Rixford, president of Insurance Technologies Corporation, advises agents to pay close attention to limits. “Our cyber liability is actually more than our standard GL,” he says, noting his company recently increased cyber limits from $2 to $10 million.
Why? Like an independent insurance agency, Insurance Technologies Corporation holds important customer information that increases the risk involved with a cyber attack. “You have to look at what that’s going to cost,” Rixford says. “If your notification fees are $1,000 per incident and you have 1,000 clients, then you’re probably looking at maybe $1 million to cover fines and another half a million for notification and administrative. So you could be looking at maybe a $2 million cyber limit.”
Wayne agrees that agents should pay attention to limits for notification, credit monitoring and liability, as well as coverage for regulatory actions, extortion, website media liability and business income. “Those are all things that almost all cyber policies could potentially provide, but not all of them do,” he says.
And watch out for potentially disastrous exclusions. “Double check whether the policy contains any type of encryption exclusion for your portable devices,” Wayne warns, noting that even if carriers don’t include an outright exclusion they might provide a higher retention rate if you don’t encrypt. “Many times insurance companies will remove that exclusion if you either don’t have the PII on your portable devices or you encrypt your portable devices that have the PII on them.”
Moving forward, “prior acts” coverage will become an increasingly important option for insureds that may be unaware that they have even experienced a cyber event until years later. “It wouldn’t cover a known claim—that’s like insuring a burning building,” Wayne says. “But if the insured is unaware that they did in fact get hacked and they find out about it after they purchase the prior acts coverage, then the policy will cover that.”
Jacquelyn Connelly is IA senior editor.