It occurs to me that purchasing something is easier if the seller and the consumer both know what the object is called. (No, I’m not talking about my favorite burritos – BTW, it is pronounced /Chi-POHT-lay/ and not (Chi-POHL-tay) or (Chi-POHT-el-EE). Get it right, people.)
I’m talking about my second favorite subject: cyber insurance. And no, this isn’t the same old “cyber insurance” vs. “network security insurance” vs. “privacy insurance” vs. “eBusiness insurance” debate. I think the industry has pretty much decided that “cyber insurance” is about as good a name as we’re going to agree on. For all its problems, the name works, and insurance professionals generally know what line of coverage we’re talking about. Let’s move on.
I’m talking about what is INSIDE a cyber insurance policy. This is where most insurance professionals get stuck. I can only imagine what prospective purchasers think of the mess that is the typical broad cyber insurance policy structure.
The modules, coverage grants, insuring agreements—whatever you call them—have NO coordination or naming standardization from one policy to the next. Maybe it’s the trademark and copyright coverage that is included in some of the cyber policies that makes policy drafters skittish, but cyber insurers have gone out of their way to make sure each coverage module does not have the same name as any of their 30+ competitors.
For example, a standard coverage today included in most cyber insurance policies is the expense to “Notify affected individuals” about a privacy event in accordance with state and federal laws. It’s one of the early steps in most data breaches. So where can I find the “notification” coverage in a typical cyber insurance policy? In “Coverage A” or the “Notice Sublimit” right? Wrong. Depending on the market, you will find it in your policy/quote labeled as:
- Privacy Breach Response Services
- Data Breach Fund Expenses Tier 1 (via endorsement)
- Event Management Coverage Section (sublimit shared with other coverages)
- Privacy Notification Expenses
- Notification and Credit Monitoring Coverage
- Enterprise Security Event Crisis Management Expense
- Breach Costs Module
- Public Relations Event Expenses
- Crisis Management Expenses
The last two are perhaps the most confusing, as some of the other insurers call an entirely different coverage grant “crisis management” or “public relations.”
We could make a similar list for other modules: (privacy liability vs. disclosure injury vs. cyber liability) or (content injury vs. media liability) and so on.
Working with a large cyber team at a global insurance brokerage firm, this disparity and confusion creates great job security for us cyber brokers. You practically need a PhD in data security and risk management to sort these policies out and offer apples to apples comparisons to a client. I should remain quiet, and enjoy this advantage we have over our peers and competitors. However, I think it is in the client’s best interest, as well as the industry’s best interest, to move toward some standardized conventions in naming these policy modules.
Will we ever see “Side A”, “Side B” type coverage module descriptors that our friends in the D&O world use? Or how about standard coverage names used in typical CGL policies (PI/AI, medical payments, etc)? I hope so. I think the cyber insurance industry would be seen as more mainstream, comparable, and credible if we could agree on some naming conventions. I’m OK with terms and conditions being different within the modules—that’s the nature of the competitive insurance marketplace. But let’s work together to bring cyber insurance out of the misunderstood shadows and into the mainstream.