Gaps and Overlaps in Cyber Policies
Understanding how policies intersect around cyber coverage and claims can help guide proper placement. This panel discussion at the 2018 NetDiligence® Cyber Risk Summit provided opinions on where the gaps and overlaps in cyber policies lie so that coverage can be developed to match the business need.
Speakers included:
- Meredith Schnur, Senior Vice President, USI
- Christina Terplan, Partner, Clyde & Co
- John Coletti, Chief Underwriting Officer, XL Catlin
- Nick Economidis, Underwriter, Crum & Forster
- Shannon Groeber, Senior Vice President Cyber/E&O Practice, JLT Specialty
Is reputational harm measurable and covered in cyber policies?
Sometimes. For instance, if you have a business interruption event, that is actual reputational harm and it is covered. If there is a loss of income, there can be some damages covered under a policy, but not all. There could be items that take longer to emerge – like loss of customers – that currently are not insured. Another example could be loss of something like search engine optimization (SEO) ranking, which ultimately influences sales, but is not covered in a policy.
How do you determine which is the primary policy when coverage overlaps between cyber and non-cyber policies?
This questions is asked often and there is a lot of confusion surrounding it. Cyber policies are limited in the response period, so you would prefer them to respond first. However, that is not always the case and there is some work to do in this area. Both markets need to work together to take a position and determine how policies are going to respond. We are gradually starting to see some cyber policies that define where they are primary and where they are excess, but not many. Oftentimes, it is the insurer with the lower retentions picking up first. Coverage does overlap, however, and we need the insurers to break down silos and solve this problem.
General Data Protection Regulation (GDPR) creates new exposures related to privacy liability. Is this covered in a standard cyber policy?
GDPR is currently not covered in most cyber policies. Sometimes there is a perception that the company is not doing what they need to do to protect against it and would rely on this coverage for clean up. This is something the industry needs to evaluate. If a company does have good practices and there is a breach, they should be able to get this type of coverage. But which policy should pick it up, since it does include privacy liability? The panel believes the cyber policy would be most appropriate to address this. Cyber insurance concentrates heavily on security, but possibly not enough on privacy protection.