Speaking with Judy Selby – a leading expert on Cyber Insurance consulting to corporates and insurance companies.
Hi Judy, thank you for joining us today.
Hi Nir, thank you for having me.
What can you tell us about your background?I was an insurance coverage lawyer for 25 years, handling large, complex coverage matters, usually on behalf of insurance companies. I was fortunate to have had substantial trial and international arbitration experience. When litigating coverage claims, it becomes readily apparent that the precise wording of the policy is crucially important. Many cases are decided on the basis of a single work or on the absence or inclusion of punctuation. This background has been extremely helpful in my consulting practice, where I assist companies to get better coverages, improved alignment of their insurance policies, and increased clarity of policy language to avoid coverage disputes. I also help companies to better understand their requirements and conditions under the policies so that they can avoid missteps that may jeopardize coverage.
How did you start dealing with Cyber Insurance?
I began dealing with cyber insurance when data breaches and regulatory requirements concerning data protection and privacy began gaining prominence. I already had a strong insurance background, but I also took a number of courses through the Massachusetts Institute of Technology (MIT) on cybersecurity and related issues to assist with counseling my clients about coverage for cyber risks. It must always be remembered, however, that although cyber policies raise new technology and privacy-based issues, they are still insurance contracts. Even cyber forms are relatively new, many of the terms in cyber policies, and the rules of policy construction have been the subject of decades, or more, of specialized insurance jurisprudence. I believe its very important to understand those issues when selecting a cyber policy.
What is your position on Cyber Insurance policy wording process?
It’s challenging. There are no standard forms and each carrier’s form is different. This makes policy comparison difficult. It’s vitally important to review every word of a policy before it’s purchased. The good news is that because the cyber insurance market is soft, insureds often have the opportunity to negotiate for more favorable policy terms. They just need to know what issues to raise with their brokers and/or insurers.
What are some of the challenges you see insurance companies have to deal with when offering a new cyber product?
There certainly are issues when it comes to underwriting new cyber risks. Many insurers have done a good job of creating new coverages to deal with today’s constantly emerging new cyber threats. But unlike with other more traditional risks, insurers do not have decades of data on which to base underwriting decisions.
Do you see many claims? Can you share an interesting example you have seen?
In my experience, the vast majority of claims are paid. But I have seen claims denied when an insured violates a policy condition, such as not obtaining prior consent before making expenditures after an incident. Going forward, I suspect that we may see more insurers challenge claims when they believe the insured provided inaccurate information to the insurers when obtaining coverage. That’s why incredibly important for companies to ensure that any information they provide to an insurer is accurate. They can’t just wing it or guess at responses to insurer questions. It likely will be necessary to get input from a cross-section of stakeholders, include third party service providers, to respond accurately to insurer questions. And if a company doesn’t understand an insurer’s question, it should seek written clarification before responding.
What is your prediction for the market in the next few years?
I expect to see the uptake of cyber coverage continue to increase, both in the US and elsewhere. New regulations, such as the GDPR, increase the stakes for today’s companies, and many small and midsize companies are not well positioned — technically or financially — to deal with a cyber incident or the regulatory fallout. An appropriately designed cyber policy can help these companies successfully take and survive a cyber punch.
Thank you for your time Judy.
Thank you Nir.