In early March, the New York department of financial services sent letters to top executives of the more than 3,000 companies it regulates alerting them to a new set of extensive rules mandating tougher computer security. These regulations give banks, insurance companies and other financial firms that do business in New York State dozens of new assignments, from designating a chief information security officer to reviewing the encryption technology their systems use. Of course, the government also requires stacks of documentation, contingency plans and regular filings with the state.
As daunting as this new to-do list may seem, New York financial firms would be wise to add yet another item not explicitly mentioned by the state: Reviewing their business insurance, especially their cyber liability coverage. Because if they don’t have cyber coverage, now is the time to consider it.
There are many ways that cyber liability insurance can help companies deal with the costs of potential data breaches—and even help prevent them from occurring. One tangible benefit responds to the line in New York State’s letter that is getting a lot of attention: Regulators can hold executive officers of financial companies personally liable for violations of the new rules. But the right coverage should keep the college funds of those in charge from being diverted to Albany should a technological wall be breached. Most cyber liability policies have provisions to cover fines and penalties related to violations of government regulations, such as those from New York State. (But terms vary, so look carefully at the coverage and exclusions of any in-force policies.)
Some may ask why they need any new coverage when their firms already have a web of policies meant to protect the company and its executives, including directors and officers liability insurance, errors and omissions insurance, and other liability coverage. But while these policies may well cover some losses that result from violations of cyber security regulations, the range of hacker attacks and consequences cuts across traditional categories of insurance, leaving potential gaps in coverage.
Filling those gaps, in fact, is a primary driver for the increased adoption of cyber liability coverage in recent years. (Crystal & Company estimates that about one-third of the financial companies we serve are now protected.) Such policies cover both liability—payments to customers and others who may have been hurt by a computer attack—and the policy holder’s own costs to deal with a breach, e.g., restoring computer systems, communicating with customers and dealing with regulators. Cyber insurance typically also covers liabilities that involve external technology providers—increasingly common in this age of cloud computing—so that a company won’t be stuck battling with vendors’ insurance companies.
But the true advantage in cyber liability policies may be the role they can play in preventing attacks from occurring, and minimizing damage if they do.
Typically, carriers will line up a range of experts in key areas, including technology consultants, public relations agencies, and specialized law firms. Often an initial consultation is offered free with additional services available at negotiated rates.
Connections with qualified outside vendors are especially important to complying with the New York regulations. The state requires regulated companies to periodically test all their systems for vulnerabilities, a task usually provided by a consultant. And smaller firms are allowed to outsource the required position of chief information security officer, so long as senior management regularly reviews the consultant’s work.
Several of the clients at Crystal & Company that I have served have taken advantage of the consulting relationships provided by their cyber insurance carriers and found them immensely valuable. For example, the CFO of a midsize financial firm recently set up an hour-long conversation with computer and legal experts provided by its insurance company. His goal was to have a contingency plan ready for any cyber breaches. They covered best practices to identify which of the firm’s employees should have what responsibilities in case of an attack. And they identified the vendors and law firms to call if needed. It was a small investment of time that could reap big benefits later.
There’s no question that New York’s new cyber security rules will add expenses for many financial firms over the next few years, even as they potentially reduce risks in the future. But for those companies that see the rules as a reason to buy new cyber liability coverage, there is a silver lining.
The cyber insurance market is becoming much more competitive, i.e., there more carriers, offering more flexible terms and lower rates.
Meanwhile, for those firms that purchased cyber coverage a few years ago, the new regulations offer a valuable prompt to review those policies. More recently minted policies could well offer fewer exclusions and smaller premiums.
As for firms that are not regulated by New York State, it’s still wise to recheck both your cybersecurity practices and liability coverage. Hackers and the damage they wreak will only increase in number. And regulators in other states, as well as the federal government, are likely to consider rules similar to those adopted in New York. When you eventually get that letter from your regulators, it will be nice to know that you are already prepared.
Sign up to get the latest Viewpoints articles by Crystal & Company experts sent directly to your inbox