There is a slew of ways in which insurers are differentiating the policy wording in their cyber products. Some of these points of differentiation are described below.
- Additional breach response limits. Look for whether, and how much, additional limits are available specifically for handling breach response costs.
- Increasing, or eliminating entirely, sublimits for certain exposures. Fraudulent instruction is one particular exposure for which some insurers may be willing to either increase any available sublimits or remove the restriction of a sublimit entirely.
- “Betterment” coverage. In the aftermath of a data breach, security failure, or other cyber claim, many cyber and privacy insurers are only willing to cover expenses incurred by the insured to get its networks back up to their prior level of adequacy. However, some insurers are willing to offer a degree of “betterment” coverage that allows insureds to work with a third-party vendor to not only restore their systems to their prior adequacy but also set them up with greater security, functionality, capacity, and so on.
- Quality of service providers offered. The quality of third-party service providers (e.g., cyber-forensics specialists) can vary from insurer to insurer, and insureds and their representatives should do their due diligence to review their qualifications.
- Number of service providers offered. Similarly, insureds should be aware of how many options may be at their disposal when selecting an insurer-approved service provider.
- Use of “system failure” coverage trigger. A “system failure” coverage trigger can allow for more coverage for “accidental” exposures (e.g., nonmalicious failures or accidental data deletion), as opposed to a coverage trigger that requires “breach” or “compromise” of data or systems.
- Trigger for regulatory fines and penalties coverage. Relatedly, many coverage triggers pertaining to regulatory fines and penalties insuring agreements may require a “breach.” However, some insurers may not include the breach requirement, potentially opening up coverage for scenarios in which regulators may “come knocking” even without a known data breach.
Keeping these points in mind can help insureds assemble better cyber and privacy insurance protection to complement their management and/or professional liability insurance portfolio.