Cyber versus technology professional indemnity insurance - round two
There is definite value to be gained from having both policies or by having a policy which essentially combines both covers, says Natalie van de Coolwijk, MD of CyGeist.
My last article explored the high-level differences between professional indemnity and cyber insurance policies. A natural extension of this topic would be the question: "Where is the overlap between technology PI and cyber insurance policies, and how do they differ?"
I will unpack the salient points relating to this question by considering a simple example in the following paragraphs. Before considering the specific example, however, it is worth noting that for both policies to be triggered by the same event, three separate elements need to be present, says Natalie van de Coolwijk, MD of CyGeist.
These elements are:
1) The policyholder should be a technology services provider.
2) Negligence should be present in the provision of the professional technological service, resulting in damages sustained by the policyholder's client/s and triggering the technology PI policy.
3) Such negligence will have to have resulted in either a compromise of the technology service provider's systems and/or a compromise of their client information, in order for the cyber insurance policy to be triggered.
A simple example may better demonstrate the interplay between the above elements, making relevant concepts more tangible to the reader. The example focuses on the risks of unauthorised access to and misuse of information, as these are becoming much more prevalent and detrimental to organisations nowadays than a mere virus infection, which is malicious and disruptive, but not nearly as lucrative for cyber criminals as the former. The policyholder in this example is a data storage provider, who has both a technology PI policy as well as a cyber insurance policy. The provider undertakes to configure its systems according to minimum security standards, as well as take appropriate action such as applying software updates and patches in a timeous manner. This should ensure its client information is reasonably secure, and as such, this forms part of the professional service that it offers.
Now, assume the provider neglected to change some of the vendor passwords away from the default (thus not adhering to the minimum security standards), and as a result, a cyber criminal was able to obtain unauthorised access to some of its servers hosting information belonging to multiple clients. The cyber criminal then exfiltrates information relating to the clients' customers, and sells this on the black market.
Assuming the breach is discovered and a disgruntled employee discloses all the details to the media, the situation should play out as follows:
* The policyholder notifies the cyber insurance provider of the incident, who in turn deploys the relevant specialists to deal with the breach. IT and forensic specialists investigate and contain the breach, and legal specialists advise that client notification is preferable given that the breach is already public knowledge. The policyholder elects to make use of PR services in order to mitigate further reputational harm. These first-party crisis management covers would not be available under the technology PI policy.
* Once the clients are notified, they in turn elect to notify their customers in an attempt to manage the situation proactively. They also offer their customers further remediation services, including the reissue of credit cards and credit monitoring for a period of six months.
* The clients seek compensation from the data storage provider for the costs they have incurred in managing the situation. The data storage provider notifies its technology PI insurer, and after some discussions, the parties agree to an out-of-court settlement. If the data storage provider had not had a technology PI policy, the cyber insurance policy would have responded in the same way.
Scenarios where both policies will respond to an incident are probably fairly remote. It is more likely for an incident to occur, where either negligence is present in the provision of the service, but this does not result in a network security or privacy breach, or alternatively, the systems and/or information are compromised without the presence of negligence.
Therefore, there is definite value to be gained from having both policies or by having a policy which essentially combines both covers. Even where there is an overlap in the liability cover provided by both policies, the policyholder will still benefit greatly from the first-party covers which cyber insurance provides. Not only do these covers encourage the policyholder to manage the breach proactively, and thus assist in reducing any resultant liability, they also provide access to appropriate breach response service providers and pick up the concomitant costs, which are far from negligible. Not having the cyber first-party coverages can be likened to the situation where a landlord has a policy to cover damage to tenants' contents as the result of a leaking roof, but does not have a policy in place to deal with the leaking roof itself. It will always make sense to deal with the root cause of a problem, particularly as far as cyber incidents are concerned, where consequences can be detrimental to the organisations involved.