Sublimits: What execs get wrong about cyber coverage

Dive Brief:

Businesses can often find "trapdoors" in cyber and traditional insurance policies where coverage is withheld due to missed provisions that limit funds for specific risks, Scott Godes, partner at Barnes & Thornburg, told CIO Dive.
If a business buys a policy for losses related to business email compromise (BEC), it might find the binder letter, or the document a policyholder receives before the policy is enacted, includes coverage for social engineering fraud. "What a company might not recognize is that that provision will provide a significantly lower limit of coverage" for BEC, according to Godes.
In a binder letter, businesses will find the insurer's list of endorsements stop short of full coverage where they think they have it, said Godes. Months later, when the policy goes into effect, businesses will find what they thought was a $5 million policy will only pay out a fraction, maybe $100,000, to social engineering fraud.

Dive Insight:

The cyber insurance market is projected to reach $20 billion by 2025, and specific cyber policies are commonly layered on top of property or liability policies. But ambiguities and uncertainties can either delay adoption or wreak havoc when coverage is finally needed.

While middle-market companies' adoption of cyber insurance have increased in the last year, less than half of their executives are familiar with their policies' coverage, according to data from RSM U.S. Middle Market Business Index. In Q1 2020, data destruction, business interruption, hacking, extortion and threat rounded out the top five risks or exposures cyber insurance covers, according to RSM.

Businesses can miss sublimits, or limits on loss coverage for a specified risk, in contracts, especially after the binder letter is sent. When the policy is agreed upon, "many people just put the policy on a shelf, or leave it in an electronic folder," said Godes. They don't think "they need to go through [it] with a fine-tooth comb."

If a cyber incident occurs and carriers only pay the $100,000 sublimit, and the policyholder attempts to protest it for the full value of the insurance, the providers will say "you were obligated to read your policy," according to Godes.

Missing provisions is "how it often plays out in the real world," according to Godes. It's "a really bad day when you think that you've got a full policy limit available for a multimillion-dollar loss and then the carrier says, 'not so fast, you only have six figures of coverage,'" said Godes.

General misunderstandings between insurance carriers and customers are common and it can cost either party greatly. Zurich American Insurance and food manufacturers Mondelez International are still tied in an ongoing legal battle. Mondelez is seeking $100 million from Zurich because it didn't cover costs related to 2017's NotPetya global cyberattack. The insurance provider is refuting coverage, saying "warlike" actions during a "time of peace" exempt the company.

The policy in question, however, is one for property, not cyber.

Cyber insurance is meant to act as a safety net in the event a security system fails. However, RMS found companies will delay security updates or investments because "they feel that cyber insurance will backstop their risk," said Ken Stasiak principal at RSM, in the report.

While there are a number of issues with that kind of practice, businesses will often find, in wake of an event, that "their policy did not include that type of event" or the policy "simply did not apply because their lack of controls violated the covenants of the policy," said Stasiak.