Financial companies, big and small, are spending a lot of time and money to bolster their defenses against cyber attacks. That’s smart, given the steady stream of headlines about ever-more-damaging schemes launched by hackers around the world, not to mention increasing pressure from financial regulators to get ahead of these threats. This year, many firms are rushing to comply with new digital security rules from the New York State Department of Financial Services that impose personal fines for executives of companies with violations.
And yet, many of our clients—having hired experts to root out system vulnerabilities and prepare contingency plans for dealing with attacks—are now asking whether such defenses eliminate the need for cyber-liability insurance.
Our answer is a resounding no.
Cyber liability policies are also a necessary step to help guarantee cash flow predictability.
The average cyber attack costs a financial firm $200,000 for computer forensics, $44,000 in legal fees and $32,000 for public relations, according to claims data from Chubb. A cyber liability policy that will pay up to $2 million of those costs after a deductible of $25,000 or less typically costs less than $25,000 per year.
That said, buying cyber liability insurance is different for a company with a detailed digital security plan than for one with more rudimentary defenses. For the meticulous, it is important to coordinate the terms of the insurance contract with the other elements of your breach response plan. Otherwise, there is a potential for conflict with the carrier if there is a need for a claim.
The central issue is the selection of outside vendors that will be on-call in case of an attack. Just as health insurers create networks of preferred doctors, carriers line up technology consultants, lawyers, and publicists with suitable expertise that will work at negotiated rates. These deals can be a boon to some firms that need to find skilled help in a hurry. But they can also create conflicts for a company that has already done an extensive planning exercise, building relationships with key vendors. Some policies could force a company in the midst of a crisis to select a firm they’ve never worked with rather than the one they already have on retainer.
Increasingly, Crystal & Company is helping clients place cyber liability coverage in which the carrier agrees in advance to pay for vendors the company has already selected.
Our first step is to compare a company’s chosen vendors with the preferred list for each cyber insurance carrier. Sometimes we can find a carrier that already works with the vendors our client prefers. In cases where there is no match, we work to find an insurance company that will amend their standard policies, agreeing to pay for the client’s chosen consultants, lawyers, and publicists.
Either of these options could result in a premium as much as 5-10% higher than the lowest rate in the market. But that may be a small price to pay to have the team you trust in place when times get tough.
We do caution, however, the forensics expert you select should not be the same vendor that set up your computer system or operates your network. If something goes wrong, you will want an independent inquiry, and often the technology consultants on contract with your insurance carriers can be a trusted impartial view.
For companies still developing breach response plans, we suggest considering your cyber liability insurance options at the same time. Specifically, start with the lists of preferred vendors developed by the insurance carriers. These companies have been vetted by carriers and have proven experience with all manner of digital attacks. Moreover, purchasing a policy from a given carrier may entitle your company to discounted rates and free initial consultations from strong vendors.
There are smaller issues that are also worth coordinating between your company’s digital defense plans and the terms of a cyber liability policy. Example: A typical breach response plan includes a protocol for who is contacted, in what order, when a problem is discovered. Many insurance policies require that the carrier receive the first call. But this can be negotiated, especially if the first call is going to go to a lawyer pre-approved by the insurance company.
While there are other such issues, it’s crucial for companies preparing for digital attacks to integrate their cyber liability insurance into their overall defense strategy.
Sign up to get the latest Viewpoints articles by Crystal & Company experts sent directly to your inbox