Cyber insurance offered by major carriers is extremely diverse, with the absence of standardization meaning the market is full of “trapdoors” for the unwary buyer, lawyers told a security conference Tuesday.
“No two [application] forms are alike, no two policies offer the same coverage,” Richard Bortnick, a New Jersey based attorney who represents insurance companies, told the Privacy and Security Forum in Washington, D.C..
“There are 75 or 80 policies out there,” said Charles Bernier, an insurance broker with ECBM. Unlike other kinds of insurance, there is no standardization. “They are all different,” he said. Even policies that use the same terminology may not be comparable: “The same word can be interpreted differently by two different carriers,” he said.
As a result, added insurance attorney Scott Godes, “It is very difficult to read these policies,” and hard to be sure what exactly is covered, meaning it could “ultimately be an unwelcome surprise.”
“If in doubt,” he concluded, “ask.”
But even many insurance brokers don’t really understand the very specialized cyber insurance market, said Bortnick. “The brokers may not know what they’re doing … Brokers have made mistakes and … not brought the right coverage for their client.”
It’s important to determine, for example, what will trigger coverage, said Bortnick, Is it an “event” or an “act”? The distinction is vital. “It doesn’t matter what coverage you have … if you can’t reach the coverage” because the triggering event doesn’t qualify.
For example, some policies, borrowing terminology from disaster coverage, require a period of continuing downtime before the policy kicks in, said Godes. “But with a computer outage, you might be up and then down again” several times before the issue is fixed.
“Some older policies only kick in if [personally identifiable information] is involved,” said Godes.
Other policies may have a “retroactive date,” meaning if a breach is discovered that started before the policy was purchased, it won’t be covered.
As the market matures, “there will be more standardization,” said Bernier. He compared the cyber insurance market to employment practices liability insurance, or EPLI, which provides coverage to employers to reimburse them for claims made by employees alleging discrimination. “Ten or 15 years ago, that [market] was like this, but we gradually saw more standardization [of coverage] emerge.”
The market is still very young, added Bortnick. “How do you rate” a company’s risk or security? he asked “There’s no historic data.”
And, he added to laughter from the audience, “There haven’t been enough lawsuits.”