“There’s No C-I-O in T-E-A-M, And That’s A Problem”

I frequently hear that cyberinsurance decisions are made solely by Risk Managers.  In the typical circumstance, that makes sense.  Risk Managers manage risk.  But cyberliability, at this stage, is not a universe of typical circumstances.

The nature of the risk is new and rapidly changing.  Actuarial data is sparse.  Carriers and Risk Managers frequently have incomplete understandings of insureds’ IT infrastructure and exposure.  As a result, unlike the standard policy forms that have evolved over decades in other contexts, cyberinsurance policies are all over the place in terms of coverage grants and exclusions.  Amid this lack of uniformity, many insureds likely have coverage that is inappropriate or incomplete.

There is good news.

Insureds that are fortunate enough to have Risk Managers often have Chief Information Officers or Chief Information Security Officers.  These folks know your IT infrastructure like it’s their job.  Funny, right?

By many accounts, including a thorough article by Kathleen Richards in Information Security Magazine, IT professionals nevertheless often have no involvement in cyberinsurance decisions.  This is a problem.  Without consulting the individual most familiar with your IT infrastructure, it is less likely that you get the coverage you need and more likely that you pay for unnecessary coverage.

But here’s your real takeaway.

Having an IT professional at the table makes it less likely that an insurer denies coverage altogether.  Carriers have shied away from “penetration testing,” or actual testing of insureds’ network security.  Instead, carriers rely on policy applications that contain a multitude of detailed questions about IT security practices.  At least one carrier has already sought to deny coverage based on its contention that the insured did not employ the actual security practices identified in its policy application.  See Columbia Casualty Co. v. Cottage Health Systems, No. 2:15-cv-03432 (Central District California) (dismissed on other grounds).

If a CIO or CISO is part of your team, manage the risk of having inappropriate or no coverage.  Talk to your IT professionals.  They don’t bite (probably).