This article is part three of a four-part series on cyberinsurance. Part one addressed the need for cyberinsurance. Part two discussed how to assess your company’s cyber exposure and select the right coverage. Part three, below, covers the complex cyberinsurance application process. Part four will complete the series with advice on how to manage a cyberinsurance claim to maximize your company’s insurance recovery.
Applying for cyberinsurance must be cooperative effort. More than any other type of insurance, cyberinsurance applications and renewals require detailed input from multiple groups. The risk management department, which usually handles insurance placement, will often lack the detailed technical understanding of attack vectors and risks that need to be addressed in a cyberinsurance application. As a privacy or security professional, your input in a cyberinsurance application can be invaluable to obtaining cyberinsurance coverage without exposing your company to a later risk because of an inaccurate or vague response on an application. When in doubt, explain your answer, even if the insurance application does not seem to have a place to do so. Simply checking the “yes/no” box can pose a potential risk to your insurance coverage.
Why applications matter
Underwriters use applications to assess risk and determine available limits and pricing for a potential insured. Simply put, underwriting is the way insurance companies measure the risk associated with issuing an insurance policy to a particular company. The results of this analysis are used to set premiums and coverage limits and determine whether an insurer will agree to issue a policy at all. Insurance companies rely on the information contained in applications, so any inaccuracies, or ambiguities in an insurance application can lead to issues you make a claim (policy rescission and potential exclusions).
How applications are used by insurance companies
You can think about an insurance application as data gathering for underwriting. In well‑established insurance markets — auto, property, commercial liability, professional liability — underwriting methods and procedures are well established and understood, so the data gathering process is quick and seamless. Insurance companies have spent decades refining and improving risk modeling, conducting research, and gathering data. These risks are so well understood that accurate preliminary risk assessments can be completed in minutes for some consumer policies, as you are likely well aware from certain prominent television advertising campaigns. While complex insurance programs take time an effort to analyze, assess, and model,
Similarly, even complex commercial property risks can be modeled and assessed using an industry standard methodology – COPE (construction, occupancy, protection, exposure). Construction factors in the material and methods used to build the structure. Occupancy assesses what the building is used for and how many people use it. Protection refers to the loss mitigation measures present in the structure (controlled access, automatic sprinklers, etc.). Exposures measures the risks associated with a building in a specific location (flood zone, risk of earthquake, etc.). While additional analysis and information gathering is required to complete the underwriting analysis, this basis methodology is an effective way to gather and organize the information required to properly underwrite a commercial property.
Cyberinsurance lacks an established underwriting methodology. Though underwriters have adopted and adapted known policies and procedures from other insurance products to the cyberinsurance marketplace, these tools don’t always translate well. In particular, because the cyberinsurance marketplace is still maturing, underwriters are still developing the proper questions to ask to get the right information properly assess risks, set premiums and limits, and model potential exposures.
As a result, there are substantial variation in applications and policy forms between insurance companies. Due to the lack of standardization in both policy applications and policy forms, choosing the right insurer or insurers to obtain quotes from or include in a bidding process is essential to obtaining the coverage that fits best for your company.
An example of an application gone wrong
The only major coverage litigation to come out of a cyber-specific policy to date, Columbia Casualty Company v. Cottage Healthcare, is an attempt by an insurance company to deny coverage based on an alleged inconsistency between the insured’s security practices and the insured’s description of its security practices on its application. The insurer is also arguing that, even if the exclusion does not apply, the policy should be rescinded because the insured failed to follow the security protocols described in its application. The complaint alleges that the insured made the following disclosures on its application (among others):
4. Do you check for security patches to your systems at least weekly and implement them within 30 days?
Yes
5. Do you replace factory default settings to ensure your information security systems are securely configured?
Yes
6. Do you re-assess your exposure to information-security and privacy threats at least yearly, and enhance your risk controls in response to changes?
Yes
23. Do you control and track all changes to your network to ensure it remains secure?
Yes
The problem with these answers is not that they are incorrect — but instead that a simple yes/no check box is insufficient to precisely explain the policies and procedures in place at the time of the application. This is problematic because of the security practices exclusion in this policy, but also because insurance policies usually incorporate the insured’s application materials into the insurance policy itself — meaning that the failure answer a question accurately impacts your coverage in the future.
For each of these answers, the insured could have provided an attached explanation that more fully explained its security procedures. For example, question 4 requires that all security patches must be “implemented” within 30 days for all systems, while that time frame may seems reasonable in the abstract, by simply answering “yes” with no further information, the insured left itself no room for professional judgment on the part of its security professionals.
Additionally, there is no definition of a “security patch,” a “system,” or “implemented,” leaving the insured open to the argument that it missed an update that the insurer now deems a “security patch” or that a “security patch” was not “implemented.” An explanation of policies and procedures can protect the insured because it presents an opportunity to minimize the potential for misunderstanding down the road.
Similarly, the other three questions contain broad language, that if you simply respond “yes,” prescribe policies and procedures far broader than you may have in place. Question 23, for example, assumes that by tracking “all changes to your network” it will “remain secure.” What exactly does “all changes” mean? And does simply tracking changes mean that the network will “remain secure?” Checking “yes” without explaining what you track and the limitations of how that protects you is a recipe for a future coverage fight if you have a claim.
Not every question requires an explanation, but you should carefully consider each application question and consider whether the “yes/no” check box on the application is sufficient to accurately answer the question – what are you agreeing to by checking the box? Even if there is no space on the application for an explanation, you may be better served by providing a supplement to the application that explains and qualifies your response. “See attached” can be a powerful way to protect your company’s insurance coverage.
Two final caveats: If you say your company follows a certain procedure or policy in your insurance application, you must follow it. And, your company likely changes and updates its security policies and procedures as necessary, so make sure that your application and explanation reflects the possibility for future updates, so that you do not tie your application to an outdated policy or procedure.
Columbia Casualty highlights the importance of a careful and precise insurance application as an active risk management tool – imprecise answers can lead to coverage issues down the road, leaving your company potentially uncovered for a risk it intended to insure. As privacy and security professionals, you have the information and technical expertise necessary to ensure that application questions are fully answered. Do not simply check “yes.”
Editor's Note: For more on this topic, tune into the upcoming web conference, "Mastering the Cyberinsurance Application Process," featuring Brendan Hogan, Aarti Soni and Joseph Cvelbar, CIPP/US, CIPT, FIP, May 18, 1 to 2 p.m. ET.
photo credit: Insurance Policy via photopin