Looking at the cybersecurity headlines from the past few years, we’ve seen significant data breaches happening more frequently and increasing in severity. At the same time, the cost of cyber insurance is rapidly rising, coverage limits are shrinking, and loss exclusions are more so than ever.
Vulnerability is at an all-time high and no one business is completely safe from attack. Businesses of all sizes and types have become victims; including some of the largest players such as Acer, KIA Motors, the NBA, and insurance giants AXA, and CAN.
In anticipation of a cyber attack, or as a business requirement placed on them by customers, many mid to large-sized organizations invest in cyber insurance to protect their financial interests and overall operation. But for smaller businesses, knowing where to start can be challenging.
Those looking for cyber insurance are often left feeling confused about what providers do (or don’t) cover, sometimes questioning whether or not it’s worth it all.
If you’re unfamiliar with this type of coverage, let’s go back to the basics. Put simply, cyber insurance is a form of coverage designed to protect businesses from the threat of a cyber attack such as a hack, ransomware, or other cyber threats.
Having a cyber policy in place may protect you from crippling financial losses after a successful attack, but the keyword is "may".
In fact, in order to secure reasonable cost and coverage, your business will likely need to prove your company has a cyber security plan and is security-aware and responsible in the first place.
The objective of having cyber insurance is to help mitigate losses when a cyber attack occurs.
A cyberattack can be triggered by any number of different vectors although the most common attacks covered by insurance include ransomware, malware, email scams, data exfiltration, and fund-transfer fraud attacks.
Coverage may provide protection against cyber incidents that occur directly or do damage to other organizations, including costs arising from data theft, hacking, extortion demands, crisis management, and legal claims for fraud, defamation, and privacy violations.
Cybercrime can cause significant damage to any business.
For example, an SEC document revealed that information security staff members at First American Financial Corporation were aware of a software vulnerability for five months but failed to fix it, resulting in a data breach.
This breach resulted in personal information and mortgage-related documents being exposed on an online document-sharing portal. The information in these files includes:
This is just one example of the dangers a cyberattack poses to your business's reputation, your customer's personal information, and more. A successful attack also leaves you open to government investigation and sanctions, and the specter of class-action lawsuits.
While you may think that cyber insurance may be the best option to protect yourself and your business, you should also be aware of the pitfalls that come with it.
Unfortunately, simply choosing to invest in cyber insurance, and not instituting a full cyber security program- is not an effective way to protect your business from a cyber attack.
Cyber insurance may be required for your business, but keep in mind that its value comes after an attack, and it’s not going to limit or stop the damage.
Here are some of the most common pitfalls of cyber insurance:
Coverage Can Be Denied for ‘Failure to Maintain’
Sometimes, a claim can be denied if the insured party (you) fails to maintain minimum or adequate security standards.
These standards can include a lack of, or inadequate System Security Plan (SSP), a lack of or inadequate Incident Response Plan (IR Plan), a lack of employee awareness training, inadequate anti-virus/anti-malware software, systems and applications not being properly patched, and outdated hardware such as old firewalls.
When you file a claim, the carrier will require you to prove that your house is in order. If you can’t satisfy their requests, your claim will most likely be denied and the coverage that you thought you had, will evaporate.
In 2014, shareholders filed a class-action claim against Cottage Health when the hospital accidentally published confidential information about clients online.
Although human error was the main fault behind the leak, it was determined that the hospital lacked ‘basic’ controls such as encryption, even though they didn’t. A lawsuit was filed against the health system for the exposure of patient PHI, which Cottage Health settled for $4.125 million.
A large proportion of that settlement was due to be paid by the health system’s insurance company, Columbia Casualty. However, Columbia Casualty sued Cottage Health claiming numerous security failures contributed to the cause of the breach.
The insurance policy required Cottage Health to implement a number of controls to reduce risk. Columbia Casually attempted to get out of covering the settlement but their lawsuit against Cottage Health was eventually thrown out.
Simply said, if your house isn’t in order, your cyber security policy may not protect you.
Human error can be another reason for your claim being denied. We know of an instance where an employee clicked on a link in a phishing email giving the cybercriminal access to the system. The carrier denied the claim on the basis that by clicking the link, the employee aided and abetted the cybercriminal which was in violation of the policy terms.
You have to carefully read and fully understand your policy language or be ready for a possible nasty surprise if you file a claim.
Challenges with Risk/Pricing
For insurers, the main challenge is that cyber risks are not like other risks. Threats are becoming more frequent and far more sophisticated, as the methods of cyber attacks have changed dramatically over time.
The number of attacks has continued to increase and the losses for carriers have mounted. The amount of coverage offered by carriers is being scaled back while premiums skyrocket.
For example, we know of a company whose coverage was slashed in half by the carrier from $5 million in 2020 to $2.5 million in 2021. In order to retain the same coverage of $5 million as required by their customers, this organization was forced to purchase an excess policy which raised their total premiums by more than 133% from coverage in the year 2020.
Some Important Things Aren't Covered
If you’re the victim of a cyber-attack, you could risk losing a lot of money in other ways such as loss of intellectual property which generally isn't covered by cyber insurance.
Another loss not covered is the damage to an organization's reputation and loss of trust with customers, partners, business associates, and the general public. Reputational loss can be catastrophic or even fatal to your business.
Coverage Varies with Each Insurer
Unfortunately, there’s a lack of universal, set rules followed by each insurer. For example, in 2017, two major cyberattacks (‘Wannacry’ and ‘Notpeya’) took out major networks:
The ‘Notpeya’ attacks took major organizations offline and resulted in huge revenue losses. Some organizations were even forced to rebuild their networks from scratch.
You’d think such a major event would be covered by insurance; however, because the Notpeya attack was linked to the Russian military and classified as an ‘act of war,’ many providers refused to pay as the cause was listed as an exclusion, and nullified the claim.
Response to Attacks Can be Restricted
Some insurance policies may restrict the ways that organizations respond to attacks. For example, if an organization needs legal counsel, they may prefer working with a law firm they have an existing relationship with.
However, coverage may dictate that organizations need to use specific resources or avenues provided by the insurance company, and if they don’t, the carrier may refuse to honor the claim.
Actions like this give businesses less flexibility and less peace of mind not knowing what is and isn’t covered and what the rules are. How many of you have carefully read your policy fine print and fully understand what it says and what the ramifications of those words are? We know from speaking with clients that the answer is not many.
All too often, policy language is written so only a lawyer can fully understand it. There’s a reason for that...
Insurance Can Lead to Complacency
If you’re insured, you might get tempted to become complacent. Perhaps internal data governance policies are pushed to the back burner, and you become lax, relying solely on insurance to protect you from the fallout.
The truth is, even with insurance, you still have a responsibility. If you become lax with your internal security measures and come under attack, your claim could get denied by your insurance company.
You should remember that insurance isn’t a quick fix or a magic solution to reduce your responsibility. You’re still accountable, perhaps even more so with insurance.
The Bottom Line
Cyber insurance is not a substitute for a well-defined and implemented cyber security program. Cyber insurance is always called upon after a successful attack and is only as good as the policy language and its exclusions.
Insurance companies are in the business of writing policies, collecting premiums, and not paying claims whenever they can, and they will look for those reasons to deny your claim.
In order to protect yourself, you need a good cyber security plan that will:
There are measures you can take to improve your cyber security posture and having a conversation with JANUS Associates is a good place to start.
We are dedicated to improving the information security of our clients, and society at large. In business since 1988, JANUS offers a full range of high-quality cyber security, privacy, and regulatory compliance services at affordable costs.
We understand the challenges that organizations of all sizes face and we can help you achieve your information security goals regardless of your size. Contact us today and speak with a JANUS cyber security professional.