Key Challenges Associated With Cybersecurity Insurance

Qualifying for a cybersecurity insurance policy is not as easy as business owners may assume. Furthermore, no matter what policy you have, you can’t rely on it to keep you protected no matter what. Demonstrated cybersecurity standards play a significant role in the type of coverage a business can receive, and the conditions of a cybersecurity event may limit coverage after the fact.

The growing threat of modern cybercrime has led businesses to begin investing in cybersecurity insurance over the past few years. It’s becoming more and more necessary to develop confident cybersecurity processes, as many insurance providers have begun holding clients to higher standards and drawing a clear line between normally covered losses and those incurred by cybercrime-related events.

That means that if the covered entity’s cybersecurity doesn’t meet the standards of its insurance provider, they may not qualify for coverage, or they may not get the payout they expect in the event of a breach. That’s why it’s so important for businesses to understand their potential cyber risk before they seek out cybersecurity insurance.

 

What Is Cyber Risk?

Put simply, cyber risk refers to any liabilities resulting from a business’ use of information and communication technology. When business stores and accesses sensitive data in a digital medium, it is potentially exposed to a range of risks. These threats need to be properly mitigated with managed cybersecurity solutions and processes.

This is important in terms of cybersecurity insurance because a business’ level of cyber risk can affect the coverage it qualifies for, the cost of any associated premiums, and the potential coverage available in the event of an incident.

What Is Cybersecurity Insurance?

Often referred to as cyber risk or data breach liability insurance, cybersecurity insurance is a type of stand-alone coverage. Cybersecurity insurance is designed to help businesses cover the recovery costs associated with any kind of cybersecurity incident.

What Is Covered By Cybersecurity Insurance?

The following categories of cybersecurity insurance policies are intended to cover a range of liabilities. However, it’s important to remember that, in practice, these policies may be much more limited.

  • Breach and event response coverage: A very general and high-level form of coverage, this covers a range of costs likely to be incurred in the fallout of a cybercrime event, such as forensic and investigative services; breach notification services (which could include legal fees, call center, mailing of materials, etc.); identity and fraud monitoring expenses; public relations and event management.
  • Regulatory coverage: Given that a range of organizations has a hand in regulating aspects of cyber risk in specific industries, there are usually costs that come with defending an action by regulators. This covers the costs associated with insufficient security or “human error” that may have led to a privacy breach. Examples may include an employee losing a laptop or e-mailing a sensitive document to the wrong person. However, this type of coverage is not just limited to governmental and healthcare-based privacy breaches. It can also be useful for non-governmental regulations that intersect with the payment card industry and are subject to payment and financial regulatory standards.
  • Liability coverage: This type of coverage protects the policyholder and any insured individuals from the risks of liabilities that are a result of lawsuits or similar claims. If the covered entity is sued for claims that come within the coverage of the insurance policy, then this type of coverage will protect them.

There is a range of types of cybersecurity insurance liability coverage, which include:

  • Privacy liability: This applies to the costs of defense and liability when there has been a failure to stop unauthorized use/access of confidential information (which may also include the failure of others with whom the entity has entrusted data). Coverage can also extend to include personally identifiable information and confidential information of a third party.
  • Security liability: On a higher level, this type of coverage applies to the costs of defense and liability for the failure of system security to prevent or mitigate a computer-based cyber attack, which may include the propagation of a virus or a denial of service. An important note — failure of system security also includes failure of written policies and procedures (or failure to write them in the first place) that address secure technology use.
  • Multimedia liability: This type of coverage applies to the defense and liability for a range of illegal activities taking place in an online publication, such as libel, disparagement, misappropriation of name or likeness, plagiarism, copyright infringement, or negligence in content. This coverage extends to websites, e-mail, blogging, tweeting, and other similar media-based activities.
  • Cyber extortion. This type of cybercrime event is generally a form of a ransomware attack, in which a cybercriminal keeps encrypted data inaccessible (or, alternatively, threatens to expose sensitive data) unless a ransom is paid. Coverage of this type addresses the costs of consultants and ransoms, including cryptocurrencies, for threats related to interrupting systems and releasing private information.

Does Cybersecurity Insurance Offer Complete Protection Against Cybercrime?

A common misconception is that a cybersecurity insurance policy is a catch-all safety net, but that’s simply not the reality. Without a comprehensive cybersecurity strategy in place, a business may not qualify for a policy in the first place. Furthermore, in the event of a hack, a business may not qualify for full coverage if their cybersecurity standards have lapsed, or if they can be found to be responsible for the incident (whether due to negligence or otherwise).

The core issue is that as cybercrime becomes more common and more damaging, insurers will become more aggressive in finding ways to deny coverage. It’s in the interest of their business to pay out as little as rarely as possible, which means the policies will tend to rely on a series of complicated clauses and requirements that covered parties have to comply with.

A key example of this is when Mondelez International was denied coverage for the $100 million of damage they incurred from the NotPetya attack. Their insurer, Zurich Insurance, cited the obscure “war exclusion” clause, claiming that Mondelez was a victim of a cyberwar.

This is not an isolated incident. As discovered by Mactavish, the cybersecurity insurance market is plagued with issues concerning actual coverage for cybercrime events:

  • Coverage is limited to attacks and fails to address human error
  • Claims are limited to losses that result directly from network interruption, and not the entire period of business disruption
  • Claims related to third-party contractors and outsourced service providers are almost always denied

All this goes to show why business owners need to look carefully at the fine print of their cybersecurity insurance policy and ensure their cybersecurity standards are up to par. No one should assume they’re covered in the event of a cybercrime attack — after all, for every $1 million paid in premiums, insurance companies only pay out $320,000 in claims.

How To Develop Confident Cybersecurity

Business owners need to make sure their business is properly protected against common and dangerous cybercrime methods. The better defended they are, the less likely they’ll have to rely on their insurance policy.

In order to determine what type of cybersecurity insurance a business may need, start by taking stock of the organization and the potential threats posed to it. It’s important to understand that, in order to qualify for cybersecurity insurance, the business may need to implement changes to its cybersecurity first:

  • Evaluate system infrastructure: The best way to determine the kind of coverage that is best for the organization is to understand its IT infrastructure. By evaluating the systems from top-to-bottom, a business will have a clear idea of all the different access points that could be leaving their network vulnerable to threats.
  • Improve security to reduce rates: Consider how investing in cybersecurity could save money on premiums. Businesses should open up a dialogue about it with the potential cybersecurity insurance provider and see what they suggest.
  • Identify risks: Next, it’s best practice to conduct a risk assessment and an impact analysis. A third party (like Hammer IT Consulting) can manage this for businesses in need.

Carefully review all organizational assets – including financial data, customer information, and intellectual property. Categorize assets according to the risk and make considerations for the potential impacts that a data security event could have on all aspects of the business.

In Need Of Expert Assistance?

We can help you develop a resilient cybersecurity posture for your organization. Get in touch with the Hammer IT Consulting team for support in improving your cybersecurity. The U.S. based team at Hammer IT Consulting is trusted, experienced and certified to meet all of your cybersecurity needs.