When it comes to cyber security and cyber liability insurance, companies are concerned over losing twice – victim of both a cyber breach and cyber insurance claim declination.
The expenses that come with a data breach quickly become a serious problem. Cyber liability is not covered by general liability policies. Learn more about cyber liability insurance in our previous post https://www.bpiis.com/cyber-liability-insurance-and-the-benefits-of-information-governance/
First a security event results in significant damages, then the insurance policy denies coverage. From blanket exclusions, to language, to sub-limits, this article discusses a few significant areas in which carriers are declining coverage and how to avoid them. Because cyber liability coverage is still a relatively new insurance product, policies between providers can vary greatly as can deductibles and monthly premiums.
RANSOMWARE: Ransomware attacks inflict significant damages including lost income, asset restoration, reputation restoration, and lost clients, which can be difficult to quantify and equally difficult to insure against. With cyber policies sometimes setting individual limits per insuring clause and further sub-limiting specific elements, policy limits can be difficult to navigate.
Insurance purchasers should perform a careful assessment of the extortion insuring clause and review all limits, sublimits, deductibles and time deductibles for adequacy.
FAILURE TO MAINTAIN: Often referred to as the negligence or “failure to follow minimum required practices” exclusion, some carriers contain within their policy language a specific exclusion which precludes coverage for claims arising from the insured’s failure to maintain minimum/adequate security standards or “continuously implement the procedures and risk controls identified in the insured’s application for this insurance.”
Companies should perform careful reviews of the cyber policy terms and exclusions to identify clauses or wording requiring the insured to comply with cyber security controls. Leadership must work closely with the CISO, IT and information assurance departments to confirm the accuracy of all statements contained within the application.
PRE-BREACH LAWSUITS: Many insurers draft language around the requirement of an intrusion, breach, or security event to trigger coverage.
Perform and continuously document due care including regular patching, security updates, and system updates. Companies should explore avenues for coverage like cyber DIC policies and potentially E&O or D&O policies (barring any exclusions).
SOCIAL ENGINEERING SCHEMES: Companies suffer damages from social engineering attacks via phished email credentials, by way of phone or letterhead, or direct altering of bank account information by hackers. While wording adapts to better cover computer fraud and social engineering losses, many policy forms contain language such as “authorized” and “direct” with which carriers can deny coverage.
The first step to being afforded coverage for such claims is ensuring that any cyber liability policy has an appropriate social engineering endorsement. It is also advisable to perform a careful assessment of the social engineering clause, as endorsements can vary significantly.
Is your company concerned? BPI makes cyber security and cyber liability insurance easy. (248) 357 – 3980.