Cyber Insurance: A How-To Guide

Cyber Insurance: A How-To Guide

Most organizations know they need insurance to cover risks to the organization’s property like fire or theft, or their risk of liability if someone is injured in the workplace. But, a substantial portion of organizations don’t carry coverage for data breaches despite numerous high profile breaches. While many insurance companies offer cyber insurance, not all policies are created equal. The following provides a snapshot of information concerning cyber insurance. …

cyber insurance

Guest Op-ed: Frequently Asked Questions Regarding Cyber Insurance

Our clients have a lot of questions when it comes to cyber insurance. For this week’s op-ed, we asked Tim Burke, director of cyber risk at IMA, Inc., if he could discuss the two main questions that he receives from clients who are investigating cyber insurance as well as his typical response. Please note that the views and opinions expressed are those of the author and do not necessarily reflect the official policy or position of Bryan Cave.

– David Zetoony

Frequently Asked Questions Regarding Cyber Insurance

By Tim Burke, IMA, Inc.

We have now reached a recognition by most commercial entities that cyber insurance is a “need to have” as opposed to a “nice to have.” Having been involved with cyber insurance dating to 1999, I have seen quite a bit of change in the marketing and scope of this coverage. Today, my job often involves presenting on this topic to a wide variety of audiences who pose engaging questions. Therefore, I have addressed within this post some of the most commonly received inquiries pertaining to cyber insurance.

Q: What is the biggest mistake you see in consideration of purchase of this coverage?

A: One consistent issue I see is companies viewing this issue as exclusively related to privacy breaches. If I do not maintain a significant amount of confidential information (ex. PII, PHI, PCI) then we have no relevant exposure. That logic may be accurate to an extent but the primary intent of the coverage is to address operational risks associated with failures of security and safeguarding confidential information. This can extend to internal operational errors as well as outsourced functions. The scope of coverage is broader than most realize and extends to first-party risks such as business interruption and costs to replace data. A recent example of this is the number of highly publicized ransomware attacks where there was significant operational disruption, including down time and loss of data. Since most traditional property and casualty policies do not address new and emerging perils (malware, denial of service, encryption), cyber insurance policies have been specifically designed to address those gaps in your insurance portfolio. I often pose this guiding question: what is the enterprise value of your intangible property vs. tangible property and how does your insurance program reflect that?

Q: What suggestions can you provide for an effective procurement of this coverage?

A: The first suggestion is to recognize this is an enterprise risk issue, not an “IT” issue. As part of that consideration, you need to break down the silos within the organization to foster dialogue and awareness. Bring together a cross spectrum of relevant stakeholders (CISO, CIO, Legal, Risk Management, Finance, Marketing) to identify and quantify unique operational risks. Examples of unique “blind spots” we come across are outsourcing, industry specific regulation, M&A and reputational impact. Build a consensus and then develop a list of coverage priorities. These priorities should then dictate your marketing goals. The cyber market is highly competitive (50 + carriers) with creative underwriters eager to write new business. You should also engage in direct dialogue with a prospective insurer as underwriters welcome the opportunity to learn more about your operations. It also provides an opportunity for you and your broker to pose questions of them. As part of that discussion, include a representative from the claims department to discuss experience handling your peers’ claims, industry trends and expectations in the event of a claim. Ultimately, a well-thought-out strategy results in you dictating the pace to the marketplace as opposed to vice versa and eliminates any questions you may have on the viability of your coverage.

Tim Burke is the Director of Cyber Risk at IMA, Inc. As the national practice leader, he is in charge of researching emerging issues and creating proprietary solutions. Areas of focus include creation of custom risk transfer programs based on industry segment, loss control solutions and fostering partnerships with service providers. Tim has over 15 years of experience underwriting and selling cyber insurance. He has assisted numerous clients manage through high-profile data breaches. Those experiences allow him a unique perspective on both the design and claims protocol of cyber insurance. He specializes in working with companies in the energy, retail, hospitality, financial and healthcare industries. He is a frequent presenter at industry conferences and a recognized innovator in the rapidly evolving area of cyber risk. Tim can be reached by email at

Op-ed: Let’s Not Kid Ourselves – There Is No Insurance for the Big Data Risk

Cyber-insurance is on the minds of most Boards (and, therefore, most CEOs, CFOs, and GCs).  As a result, clients often ask us to benchmark their cyber-insurance policies, or to work with their brokers to make sure that the policies they purchase have real coverage.

The market for cyber-insurance is incredibly diverse, and there are a hundred traps for the unwary.  If you are interested in understanding the gaps to look for, the exclusions to avoid, and how to get a reality check on limits, we’ve published several guides on the topic and have recorded several presentations.[1]  Understanding the traps can help steer you from buying a “junk” policy that provides no real coverage.  But that’s not necessarily where the role of attorneys stops.

I always try to remind my clients to keep one thing in mind.  There is no insurance for the “big” data risk.  Why?  The “big” data risk is your company’s reputation.

There are few instances I can think of where the potential reputational impact from the mishandling of data did not outweigh (exponentially) the possible legal liability.  While some insurance policies provide access to public relations experts (at least in the case of a breach), and a few policies attempt to compute reputational damage by comparing earnings in the 12 months preceding a data event with earnings after a data event, no policy can make a company whole for the long term impact of losing the trust of customers and the public.

Managing the reputational risk is, unfortunately, a lot more complex than buying an insurance policy.  It means making strategic decisions about what you collect, how you use it, with whom you share it, and how you will respond to a crisis – like a data breach – when it occurs.  Those decisions require creativity, planning, and practice that can’t be purchased, but can turn out to be priceless.

[1]  See;;

Guest Op-ed: Cyber Insurance – Just as Much Benefit in Preparing for the Submission as There is in Procuring the Coverage

Most of our clients have to make decisions regarding cyber insurance every year – whether they are deciding to go to market for the first time, coming up for renewal, or considering switching providers. We asked a cyber insurance expert her opinion as to whether it’s worth testing the cyber insurance market even if you decide not to move forward on coverage. Please note that the views and opinions expressed are those of the author and do not necessarily reflect the official policy or position of Bryan Cave. 

– David Zetoony

Cyber Insurance – Just as Much Benefit in Preparing for the Submission as There is in Procuring the Coverage
By Florence Levy, JLT Specialty USA

The process of purchasing cyber insurance can be a daunting task. With the onslaught of cyber and privacy-related breaches in the news, including prevalent ransomware attacks and social engineering tactics to impersonate high-level executives for the improper funds transfer, the risks are high. The good news is that today’s more rigorous submission process can uncover a number of opportunities for companies to improve their cyber defenses.

Underwriters are becoming savvier with their due diligence in an effort to keep up with technology and associated exposures.  Some employ internal resources like risk engineers, or outsource the more technical aspects to network security professionals. The questions can be numerous, topics can be diverse, and it takes a multi-disciplined, enterprise-wide approach to answer them.

For example, in review of your contracts for limitations of liability as it relates to cyber exposures, you may discover that you do not have “standard” wording regarding cyber-related exposures for clients or vendors. This may encourage you to work with your legal and sales staff to revamp your contractual language and ensure the appropriate limitations of liability and hold harmless clauses are in place.

You may also discover that your company does little to no training for employees regarding cyber and privacy awareness. With a significant number of incidents stemming from internal employee error, negligence, or frankly rogue employee incidents, it’s imperative to appropriately train your staff on security and privacy risks.  Consequently, you may work closely with your HR and legal departments to ensure that new employees are properly vetted, and sign off on a cyber-risk training program that includes data retention, access and classification policies.

This process will assist you in quantifying and qualifying cyber risk, through taking inventory of information assets, reviewing and adopting any relevant or necessary compliance frameworks, identifying key vulnerabilities, and potentially creating internal positions that you may have never thought were important or relevant (the role of Chief Privacy Officer, for example, isn’t so out of the box anymore).

The process will also oblige you to identify owners of cyber risk management within your company, document processes and technology, and construct and test your incident response/crisis management plans.  While underwriters care about the technical aspects of your risk (With whom do you outsource for various technology processes? Do you have firewall protection? Do you encrypt sensitive data at rest and in transit?), they care just as much about your corporate culture around cyber and data privacy risks. As a result, you’re compelled to proactively define your security posture, and tell your story around risk mitigation and breach preparedness.

This in-depth, intra-company process facilitates open communication across disciplines. The end result is a positive one – you’ve aligned your firm’s awareness and preparedness with unique risks and exposures, while potentially procuring a financial risk transfer solution that will perform in the event of a loss, protecting your company’s most precious assets.

Florence Levy, Esq. is the senior vice president of the Cyber / Errors & Omissions (E&O) Practice at JLT Specialty USA where she focuses on creating cyber and E&O risk management programs for companies in a wide array of industries. Her expertise lies in identifying exposures, program design, contract language, negotiation and claims advocacy to ensure her consultancy reflects her clients’ unique exposures. Florence has more than 15 years of experience in the insurance industry as a cyber and commercial E&O specialist. Prior to joining JLT, she was head of the U.S. Global Technology and Privacy Practice for Lockton Companies, as well as the national practice leader for Aon’s Professional Risk Solutions Group. Florence has spoken at many industrywide events and been quoted in a variety of trade publications. She was selected by Business Insurance among the 2015 Women to Watch. Florence can be reached by email at or phone at 720-530-9934.

Questions to Consider When Shopping for Cyber Insurance

Most organizations know they need insurance to cover risks to the organization’s property like fire or theft, or their risk of liability if someone is injured in the workplace. But a substantial portion of organizations do not carry coverage for data breaches despite numerous high-profile breaches.  While many insurance companies offer cyber insurance, not all policies are created equal….


Webinar: Developments in Cyber Insurance for In-House Lawyers – Are You Getting the Coverage You Expect?

July 28, 2016 at 12 p.m. EDT

Five years ago only a minority of companies had cyber insurance. With high profile breaches insurance has quickly become the standard, and not the exception, but a cyber insurance policy is far from standardized. Bryan Cave’s David Zetoony discusses how in-house counsel should read cyber insurance policies to make sure that their clients receive the coverage that they expect. Click here for more information or to register.

We are presenting this audio web cast through Celesq® Attorneys Ed Center in partnership with West LegalEdcenter.

Bryan Cave to Host Cyber Insurance CLE Seminar

May 18, 2016

Bryan Cave will host a CLE seminar in its Chicago office with separate panels on cyber insurance and public policy. The May 18 seminar will be presented by guest speakers and lawyers across multiple Bryan Cave offices.

The cyber insurance panel will be moderated by Chicago Of Counsel Maria Vathis. Panelists will include Boulder Partner David Zetoony; Aaron Carlson, director of business development at Rust Consulting; and Ryan Griffin, vice president of the cyber/E&O practice at JLT Specialty.

The public policy panel will discuss, from both sides of the aisle, the anticipated legal, business, and political environment, post-2016 presidential election. Panelists will include St. Louis and DC Senior Policy Advisor Jack Oliver and DC Partner Miguel Rodriguez.

Click here for more information or to register for the seminar.