Cyber insurance underwriters are increasingly building risk management into their programs to bolster policyholders’ data security systems.
Insureds opting for cyber risk management could see a portion of their premium refunded, said Jennifer Rothstein, a director with Kroll’s Cyber Security practice.
Cyber insurers’ goal in introducing more protective risk management is to “ensure that policyholders’ security systems are airtight or bulletproof against intruders—internal and external,” Rothstein told Advisen.
For instance, information technology risk assessments are becoming a more common component of cyber policies for buyers of all sizes, said Rothstein.
“We look at a clients’ software or hardware and assess whether or not there are potential security holes,” said Rothstein, who is responsible for maintaining Kroll’s relationships with insurers, brokers and insureds.
Organizations opting for this sort of “penetration testing,” could be in line to receive for reimbursement from carriers in various ways, she explained.
“One carrier I met with recently is offering a reimbursement of 50 percent of our fees up to $10,000, or 10 percent of the [policy] premium—whichever is the lesser of the two,” Rothstein said.
In other situations, insurers would give policyholders the option of putting such reimbursements toward “table top exercises,” consisting of “a dry-run to test systems and personnel, and how they’d respond if there was a data breach,” Rothstein explained.
Kroll would then come up with a list of best practices and recommendations to prevent future problems.
Mock breaches are expensive to carry out, and might easily cost insurers $15,000 to $20,000 per exercise, she observed.
Not every carrier is offering risk management incentives or payments under their cyber programs, but Rothstein says the majority are now doing so.
In some cases, brokers are also helping to foot the bill for these sorts of exercises, said Rothstein. “Clients want them, so I am encouraging carriers and brokers to help them find a way to pay for them,” she said.
“A lot of cyber programs are in their infancy, but they’re going the way of employment practices liability insurance, where there is typically some risk management included in the policy form,” added managing general agent Mark Lann of Rockwood Programs in Homestead, Florida.