outsources its information security management to
a qualified firm. “What if you say, ‘no’? Is that bad?”
Gamble said. “Maybe you have an employee who
Risk managers also often have to hunt for the
answers, whether from internal staff or external
vendors. And colleagues in IT may perceive the
application for insurance as second-guessing their
efforts to protect data.
“I can understand why that would be a difficult
pill to swallow,” said Anne Corona, managing director
and U.S. practice leader for cyber insurance at Aon
Risk Solutions. “But I think everyone understands
that this isn’t a criticism, but an added level of
protection, really, from a financial perspective.”
At the University of Wyoming, Peterson
contacted the IT staff to lay the groundwork before
she started lobbing questions. She explained
that cyber coverage was not a reflection of the
department’s work, but a necessary safeguard. And
despite good intentions, accidents can happen,
she added, just as they do in other university
departments. An employee could click on the wrong
link in an email, or lose a flash drive.
“We didn’t have any trouble getting them to help
us complete the parts of the application that we
needed their help with,” Peterson said, noting that
she also needed assistance from administrators in
other areas, such as finance.
One question asked for the percentage of revenue
from credit card transactions, Peterson said. But
revenue for a university is different than revenue
for a business. Peterson put down 9 percent, and
explained the sources of revenue, including state
and federal funding.
“We want to give them as much information as
possible,” she said.
Since their answers could come back to haunt
them in a coverage dispute, risk managers and other
insurance buyers need to take extra care.
“If they make a representation in an application
that they have certain security measures in place
and those security measures aren’t followed … or
aren’t actually in place, then the insurance company
could conceivably use that as a basis to avoid
coverage if there is a claim,” said Brooke Yates, a
partner in the litigation department at the law firm
of Sherman & Howard in Denver.
Past breaches, if they’re not reported on the
insurance application, also could become an issue,
said Tracy Tenorio, a senior vice president and
account executive at ABD, a commercial brokerage
But the answer was a shade of gray for the
University of Wyoming, which was applying this
year for its first cyber insurance policy.
“The answer might be yes, we have procedures,
but they might be different for our two medical
clinics than they would be for the accounts
receivable department,” said Laura Peterson, chief
risk officer for the university, in Laramie, Wyo.
Similar conundrums are confronting risk
managers around the country as they apply for
cyber coverage. Risk managers are finding that
the cyber application process is more taxing than
it is for traditional insurance — especially for
organizations analyzing coverage for the first time.
It’s the difference between buying a couch for the
living room, and trying to install a home wireless
network that syncs with computers, televisions and
stereos, said John Mullen, chair of the U.S. data
privacy and network security group at the law firm
Lewis Brisbois. “It’s just a whole different level of
Interest in policies has spiked over the last year,
When cyber insurance first emerged in the late
1990s, insurers sometimes hired third-party vendors
to test the network security of organizations as
part of the underwriting process. They also would
schedule meetings with clients to review their cyber
Today, most insurers rely on applications boiled
down as much as possible to yes-or-no questions.
The forms serve as a handy checklist for cyber
security efforts, according to brokers and insurers,
but the answers don’t come easily.
“Many customers are very uncomfortable with
that binary sort of yes-no response because it’s not
100 percent ‘yes,’ and it’s not 100 percent ‘no,’ ”
said Greg Gamble, a director at Crystal & Company,
a brokerage in New York City. “A lot of the time that
we spend with clients is helping them pick yes or
no, and then how to explain the answer.”
An application might ask whether a company
Streamlined applications for cyber insurance can leave a company
unsure about how to respond in a way that casts it in the best
possible light. BY JOEL BERG
RISK & INSURANCE®
For Cyber Cover
• Carriers have shifted toward yes-and-no questions
for cyber insurance policies.
• Risk management may need to tread lightly with IT
to get cooperation on cyber policy applications.
• Risk managers often take a long time analyzing and
comparing the various product offerings.
EXPERTS SAY that some businesses don’t have a grasp on how many records they need to protect under a cyber insurance policy.
OCTOBER 15, 2014
“You can listen to other people who
have had breaches, but they’re all
very, very different, depending on
whose information was breached
and what information was breached
and what state is affected.”
— LAURA PETERSON, CHIEF RISK OFFICER,
UNIVERSITY OF WYOMING