happier IT Inc.

View Original

Are You Sure You’re Compliant With The Terms Of Your Cyber Liability Insurance?

It doesn’t matter how robust of a cyber liability insurance policy you’ve invested in if you’re not complying with its terms. Are you sure you’ll be covered in the event of a cybercrime incident?

Is your cyber liability insurance policy giving you a false sense of security?

While it’s certainly wise of you to have invested in coverage against cybercrime-based damages, it won’t amount to much if you’re not complying with the terms of your policy. Even if you think you’re complying, there’s no telling if your insurer will cite an unexpected clause in order to avoid paying out your claim.

This is a more common occurrence than you might assume — businesses invest in a cyber insurance policy and either fail to follow its terms or are denied coverage based on something they failed to foresee. They get hit by a cybercrime attack, and it turns out they’re not covered. 

Case in point: the National Bank of Blacksburg in Virginia was breached twice in two years, but, at the time, was confident in their cyber liability insurance. It came as a shock when their insurance provider, Everest National Insurance Co., opted to only pay $50,000 of the claimed $2.4 million on the grounds that the breaches were not covered by the policy. This resulted in further, costly litigation between the two organizations. 

Could the same happen to you?

What Is Cyber Liability Insurance?

Before we explore clause compliance and how insurers often attempt to avoid paying claims, let’s establish what we’re talking about. Often referred to as cyber risk or data breach liability insurance, cyber liability insurance is a type of stand-alone coverage. 

Cyber risk insurance is designed to help businesses cover the recovery costs associated with any kind of cybersecurity incident including: 

  • Breach and event response coverage: A very general and high-level form of coverage, this covers a range of costs likely to be incurred in the fallout of a cybercrime event, such as forensic and investigative services; breach notification services (which could include legal fees, call center, mailing of materials, etc.); identity and fraud monitoring expenses; public relations and event management.

  • Regulatory coverage: Given that a range of organizations has a hand in regulating aspects of cyber risk in specific industries, there are usually costs that come with defending an action by regulators.
    This covers the costs associated with insufficient security or “human error” that may have led to a privacy breach. Examples may include an employee losing a laptop or e-mailing a sensitive document to the wrong person.
    However, this type of coverage is not just limited to governmental and healthcare-based privacy breaches. It can also be useful for nongovernmental regulations that intersect with the payment card industry and are subject to payment and financial regulatory standards.

  • Liability coverage: This type of coverage protects the policyholder and any insured individuals from the risks of liabilities that are a result of lawsuits or similar claims.
    Put simply, if you’re sued for claims that come within the coverage of the insurance policy, then this type of coverage will protect you. 
    There is a range of types of cyber liability insurance liability coverage, which include:

  • Privacy liability: This applies to the costs of defence and liability when there has been a failure to stop unauthorized use/access of confidential information (which may also include the failure of others with whom you have entrusted data).
    Coverage can also extend to include personally identifiable information and confidential information of a third party.

  • Security liability: On a higher level, this type of coverage applies to the costs of defence and liability for the failure of system security to prevent or mitigate a computer-based cyber attack, which may include the propagation of a virus or a denial of service.
    An important note — failure of system security also includes failure of written policies and procedures (or failure to write them in the first place) that address secure technology use.

  • Multimedia liability: This type of coverage applies to the defence and liability for a range of illegal activities taking place in an online publication, such as libel, disparagement, misappropriation of name or likeness, plagiarism, copyright infringement, or negligence in content.
    This coverage extends to websites, e-mail, blogging, tweeting, and other similar media-based activities.

  • Cyber extortion. This type of cybercrime event is generally a form of a ransomware attack, in which a cybercriminal keeps encrypted data inaccessible (or, alternatively, threatens to expose sensitive data) unless a ransom is paid.
    Coverage of this type addresses the costs of consultants and ransoms, including cryptocurrencies, for threats related to interrupting systems and releasing private information.

Cyber liability insurance policies are offered by a variety of insurers and policy prices and exclusions vary widely among different providers. However, regardless of what type of policy you invest in, you have to make sure you’re complying with its terms.

The Problem With Cyber Liability Insurance

The core issue is that as cybercrime becomes more common and more damaging, insurers will become more aggressive in finding ways to deny coverage. It’s in the interest of their business to pay out as little as rarely as possible, which means the policies will tend to rely on a series of complicated clauses and requirements that covered parties have to comply with. 

Case Point #2: When Mondelez International was denied coverage for the $100 million of damage they incurred from the NotPetya attack. Their insurer, Zurich Insurance, cited the obscure “war exclusion” clause, claiming that Mondelez was a victim of a cyberwar. 

This is not an isolated incident. As discovered by cyber governance expert, Mactavish, the cyber liability insurance market is plagued with issues concerning actual coverage for cybercrime events:

  • Coverage is limited to attacks and fails to address human error

  • Claims are limited to losses that result directly from network interruption, and not the entire period of business disruption

  • Claims related to third-party contractors and outsourced service providers are almost always denied

All in all, these factors have led the industry to be extremely profitable for insurers, and extremely unreliable for businesses. Mactavish found that for every $1 million paid in premiums, insurance companies only pay out $320,000 in claims

Are You Complying With The Terms Of Your Cyber Liability Insurance?

All this goes to show why you need to look carefully at the fine print of your cyber liability insurance policy and ensure your cybersecurity standards are up to par. You cannot assume you’re covered in the event of a cybercrime attack — you need to know for sure. 

Furthermore, you need to make sure your business is properly protected against common and dangerous cybercrime methods. The better defended you are, the less likely you’ll have to rely on your insurance policy. 
their insurance provider, Everest National Insurance Co., opted to only pay $50,000 of the claimed $2.4 million

Do You Need Help With Your Cyber Insurance?

Whether you need help reviewing your current policy, or you need expert advice on choosing the right coverage, we can help you gather the right information and choose the best cyber insurance for your business.

Book your free consultation and talk to a cyber insurance expert today or learn more about how we can provide a happier IT experience.