information about pending deals or
other confidential information has
been used to trade on companies,”
Bridges said. “
Even if it seems as if nothing was
stolen or no damage was done, there is
still a breach of confidentiality. But then
you look at the actual loss, and it can be
difficult to determine who was harmed.
“Network security is now a very
important part of due diligence before
mergers, acquisitions or divestitures,”
He said that a loss in such a
situation might fall in a gap somewhere
between a cyber policy and a more
conventional D&O policy.
“There could also be a reputational
risk, but there is not meaningful
reputational coverage out there yet.”
The bigger issue, according to
Sheehan, is for the Securities &
“Was it insider trading, just at a
different level? At the same time,
insureds need to be thinking about all
these threats. They need to be working
with their brokers and carriers on how
to value their virtual assets.”
In underwriting cyber coverage, two
points of contention are the frequency
of reporting and the treatment of prior
acts. Insureds are disinclined to report
frequent breaches, even though it is
now widely understood that businesses
are under constant attack.
“Noticing every possible attack
doesn’t make sense for our clients
or the insurers,” said Bridges. “We
counsel clients to make decisions on
reasonableness and materiality using our
collective judgment as to the types of
cyber incidents that should be reported.”
“The market now has adjusted to
where you can get a year or two, maybe
There is also the importance of
appearance. “The challenge for business
is the shift in optics from prevention to
detection,” said Rosenzweig.
“Organizations are constantly aware
of intrusions, and they struggle with
disclosure, especially if there has been
no exfiltration of sensitive information.
A lot of companies have stumbled.
There is a hassle of reporting and a risk
of failure to report.”
Rosenzweig is magnanimous about
prior acts. “There has been a lot of
improvement in coverage,” he said. “As
long as there is no misrepresentation of
knowledge of prior acts, some insurers
are giving full coverage. Others are at
least giving a look back of a few years.
“The complication is that you often
don’t know about prior access until you
are into the forensics.
“It is especially important for first-time buyers, and also in negotiating
about prior acts. I would fight for
coverage if an owner really did not
have knowledge.” &
GREGORY DL Morris is a freelance writer
based in New York, with a specialty in the
energy industry. He can be reached at
In a case like St. Jude’s there does
not seem to be a trigger for cyber
coverage. “It was reputational,” said
Robert Rosenzweig, national cyber risk
practice leader at Risk Strategies Co.
“For a company to transfer that risk it
would need proper wording in its D&O
or a stand-alone reputational policy.”
The St. Jude’s bear-raid “gives me
pause,” said James Sheehan, cyber risk
1 Ambest Road • Oldwick, NJ 08858 • (908) 439-2200, ext. 5311 • www.ambest.com
Build a better
risk management strategy
with tools from A.M. Best
Best’s Underwriting &
Loss Control Center
Detailed underwriting reports and on-site
inspection checklists examining the coverage
needs of nearly 600 types of businesses,
industries and municipal services.
Best’s Insurance Reports ®
Qualitative analysis of thousands of companies,
with each report including the Best’s Credit Rating,
Rating Rationale, risk management strategy overview,
business profile and more — available nowhere else.
A.M. Best’s Financial Suite
The latest financial information from the annual and
quarterly statements of thousands of life/health and
property/casualty companies in the U.S. and around
Visit us at Booth #1227 at RIMS in Philadelphia
to learn more and enter our Grand Prize drawing.
Best’s Insurance Reports and the products in
A.M. Best’s Financial Suite are delivered via
BestLink, A.M. Best’s enhanced data-retrieval
and integration service.