I went through and broke down a Cyber Liability policy to identify the different aspects of it. This is a very high-level view of just some of the elements I found when reviewing the policy.
The policy has 15 separate insuring agreements that all deal with Coverage that would come into play in the event of an Electronic related event, whether malicious or inadvertent.
Let’s say that there was an event where the company who had purchased this policy was hacked and a significant number of its customer’s Personally Identifiable Information was compromised.
First, outside help is likely needed to identify how the breach occurred, how many customers were affected, if their network is still at risk, and what they can do to plug the gap in security. That activates one insuring agreement with it’s $50,000 Deductible.
By failing to protect the data the activates another insuring agreement with another $50,000 Deductible.
A regulatory agency becomes involved and begins to investigate and the defense expenses begin to accumulate which activates another insuring agreement with another $50,000 Deductible.
Because of the breach, the businesses systems and therefore operations had to be suspended during the time it takes to ensure that there is no additional danger. The Business Income Insuring Agreement will then come into play to cover the lost Net Income.
As a result of the breach, there is a lot of bad PR and so a good Reputation Management team is needed to mitigate the effect that a breach has on the brand of the business. This is a separate Insuring Agreement with its own $50,000.
You can see that very quickly with a relatively simple scenario we have activated several of the insuring agreements. Each one with its own $50,000 in this case. Before any of these coverages begin to pay, the owner of this policy has to pay around $200,000 to get at its 2 million dollar limit. As each of these expenses under this coverage begins to mount, they are all eating away at that $2 million limit. You can see that it can begin to erode very quickly.
Again, this is a very basic overview, but it highlights in part, the complexity of a Cyber Liability Policy. Various Insuring Agreements come into play for one incident. Each one of those agreements covers a specific set of circumstances as described in the policy. Because there is no standard Cyber Liability Policy, each company is going to be different in the coverages that they offer, the names of the coverages, and the scope of the coverages.
When buying a Cyber Liability Policy, an analysis needs to be conducted of the exposures that are present in the organization. All Cyber Policies are not created equal.