Insurance policies aren’t created equal, some will provide worry-free coverage, others will have exclusion provisions that completely eliminate any possibility of payout. Cyber insurance in particular is such a new space, many buyers aren’t aware of the pitfalls associated with these policies. Here are some pointers to help you on your quest for appropriate cyber insurance coverage.
I’ve summarized each of the points below but advise you to discuss them with your insurance provider and legal counsel because I am neither. When you read through these, think about how they would impact your specific circumstances and how you could mitigate, transfer, or accept that risk.
- Exclusion for terrorist acts – Some providers have lumped ransomware attacks into this category. If the attack is deemed a nation-state activity like Wannacry, you may not be covered.
- Limits on extorsion – policies may have a very small cap on extorsion events. Extorsion is increasingly popular and these demands average around $200k or more.
- Insider threats – for example, a disgruntled employee releases ransomware because they work for you. Claims will be rejected with this clause in effect.
- Forensics and response teams – generally speaking, your insurance provider will force you to use their forensics and response teams in the event of a breach. That’s okay, just be aware of the following:
- If you want to use another provider, you will be paying for it unless it’s pre-approved.
- Your insurance provider has a vested interest in keeping the damages to a minimum, which can at times be at odds with doing the best to recover from losses.
- Duplicate policies – never purchase redundant disconnected policies with the same areas of coverage. They don’t add to each other, the insurers will just fight over who has to pay you.
- Free stuff – insurance companies want to limit the potential for damages, they will often give you access to free materials, policies, procedures etc. and they may even pay for your incident response plan to be created. Just ask!
- Business interruption – most policies have a mandatory waiting period before you can make a claim, just be aware that you are on the hook paying for that period of interruption.
- Legal representation – use the insurers’ lawyers because cyber insurance is a highly specialized area. In-house council generally won’t have the experience to deal with the complexities.
- Contractual liability – if you’ve made a specific statement or policy around how you protect your services and you haven’t lived up to your statements, your claim will likely be denied.
- Reporting times – policies will have specific requirements for reporting events to your insurer. Make sure you find out the shortest requirement and abide by it.
- Reporting requirements – policies vary quite dramatically regarding what types of events you have to report, make sure understand what you need to report.
- Initial costs – many policies have a provision that state you are on the hook for any “initial costs” during an event before you call your provider. Make sure you plan accordingly.
- Social engineering –this is a very large threat to companies; internal threats may be excluded. Read this provision carefully and make sure you are protected.
- Electrical or mechanical failure – policies may not cover you if there are widespread outages, as in business interruption may not be protected.
- Failure to update security software – in the event any of your systems hasn’t been updated and a breach results, this could mean your policy won’t pay.
- Associated companies – if your company has multiple operating entities, make sure you list them in any policy. Some companies will attempt to circumvent payment by claiming it was a different entity that was attacked.
- Subrogation – you could be sucked into lengthy court proceedings and activities if there was a large payout and the insurer wants to recover their money.
- Regulatory fine limitation – have a solid understanding of what your potential regulatory fines might be and make sure you are covered for them; they’re increasing every year.
- Voluntary shut down coverage – it’s useful to have coverage for voluntary outages while you work on corrective measures. Some policies exclude or limit them dramatically.
Insurance is not something you use every day; it’s generally used when you are in serious trouble and unable to continue operations. The last thing you want to hear from your insurer is that you aren’t covered for your incident and you have to go at it alone. Read your policies carefully before you partner with an insurer.
Final helpful tip, when an insurer asks you to fill out a questionnaire to assess your qualifications and premiums, be truthful! If you misrepresent yourself on that form – and it’s discovered – you can guarantee your claim will be denied and policy cancelled. A shortsighted approach of saving a few hundred dollars on your premium may cost you your business!