Cyber Liability Insurance – Checking the Fine Print

Cyber liability insurance is designed to help protect organizations from the significant costs that can arise in the event of a data breach. In their 2023 Cost of a Data Breach Study, IBM lists the average total cost per data breach at $4.45 million. It would be difficult, if not impossible, for most organizations to survive that large of a hit.

If you have purchased or are considering purchasing a cyber liability insurance policy, how do you know what type of policy and coverage best fit your needs? You need to clearly define what data is covered and what isn’t, as well as have documented the potential losses that are not covered. You must be sure that you understand the terms that must be met in order to receive benefits following a breach or compromise. Cyber insurance can be a valuable addition to your organization’s overall information security plan, but it is important to understand the limits of such policies when managing your risk.

When cyber insurance first hit the market, policies protected organizations specifically against lawsuits from victims. As the market has continued to evolve, policies now cover a number of other expenses. Depending on your risk profile and potential exposures, your organizational needs will differ and you can select from a menu of assorted policies. In many cases, your insurance provider now even acts as your crisis management partner, will connect you with appropriate subcontractors, and cover costs for:

• Fines and penalties issued by regulatory bodies
• Crisis management consultations
• Forensic investigations
• Public relations consulting
• Notification of affected individuals
• Credit monitoring
• Data restoration services
• Business interruption – lost income and payroll spent during downtime
• Dependent business income (for when your third-party service provider has a breach)
• Extortion incidents/Ransomware
• Social engineering/Phishing

Unfortunately, one of the challenges is that there is no consistency across the industry, especially in terms of standard language, and different insurance brokers will call the same thing by different names. When you are comparing different policies, it can be difficult to determine what coverage options are the same, which are different, and what is the most beneficial. For PCI coverage, we have generally seen the requirement that an organization must be able to attest, in writing, that they are PCI compliant at the time of applying for the coverage, or they may not receive full benefits in the event of a breach.

Most, if not all, cyber liability insurance policies also contain numerous exclusions. Reviewing the terms in detail to verify exactly what is covered and what damages or expenses would fall outside of the policy will help you avoid mistakes. Don’t just assume you are covered, only to realize that what you thought was “fraud” (a covered expense) actually qualifies as “negligence” (a non-covered expense) according to your insurance policy…it could be a million dollar mistake!

In 2016, in two separate cyber intrusions over an eight month period, hackers used phishing emails to break into a Virginia bank and steal more than $2.4 million. Once the targeted phishing e-mail was clicked, the intruders were able to install malware on an employee’s PC, as well as compromise a second computer that had access to the system used to handle debit card transactions, customer accounts, and their use of ATMs. With this access, the hackers were able to disable anti-theft and anti-fraud protections, such as the 4-digit PINs, daily withdrawal and usage limits, and fraud score protections. The hackers then used ATMs across the US to steal funds from customer accounts. During the second intrusion, they were able to gain access to additional systems that allowed them to credit more than $2M to various bank accounts.

The bank had previously purchased two types of coverage under their cyber insurance policy. One for computer and electronic crime, and another for debit cards. Following the breach, the insurance provider refused to cover of the losses related to the breach, offering instead only $50,000, claiming that the bank could only recover funds from the debit card rider and not the larger computer and electronic crime policy because the losses in the breaches involved the use of debit cards and automated mechanical devices.

They cited two exceptions spelled out in the agreement. The first exclusion ruled out coverage for any loss resulting directly or indirectly from the use of payment cards to obtain credit or funds, or to gain access to automated mechanical devices. The second exclusion denies coverage for loss involving automated mechanical devices that disperse money, accept deposits, cash checks, etc. The bank is arguing that the attack clearly originated as a computer/electronic crime and is suing its provider for refusing to provide that coverage. The outcome of this case will be important for the cyber security insurance company and for consumers as it may be the first step in helping to push insurance companies to clear up what are now confusing and ambiguous policies.

The lawsuits can also go the other way. Two cyber insurance companies recently filed a lawsuit demanding $30 million repayment in claims from cybersecurity firm, Trustwave, who had previously certified Heartland Payment Systems as PCI DSS-compliant prior to their 2008 data breach. The insurance providers claim Trustwave’s negligence contributed to the breach, so they are trying to recover funds that had previously been dispersed.

Moving forward, cyber insurance policies should be viewed only as a component of your information security program. Do not give up, assuming a breach will happen, and reduce your prevention efforts because you believe that your cyber liability insurance will cover you. That approach can quickly backfire for a number of obvious reasons, but the main one being: if you are unable to take basic steps to safeguard your data then you can’t expect the insurance company to cover your losses. Insurance carriers can, and will, deny coverage if they find you have failed to follow minimum required practices (up to and including your previously confirmed PCI compliant status), so your organization must continue to implement and maintain effective security controls.

When applying for insurance, your organization may be asked to share risk assessments and other information related to your information security program. A comprehensive program will minimize any gaps where coverage may not be available and will include the following:

• Written policies and procedures
• An individual to oversee cybersecurity
• Security awareness training for all staff
• Effective contracts with third parties that have access to confidential information (see Third- Party Service provider article here)
• Updated risk assessments (that includes new threats as they arise)
• Incident response plan (IRP)

Cyber insurance can help minimize the overall financial impact to your organization and reduce the broader impact a breach can have, but it is critical to thoroughly review and understand the terms of the agreement. Having an insurance policy doesn’t absolve the organization from continuing to focus resources on good information security practices. The goal should be to secure your environment as much as possible and, in turn, never have to use the safety net that your insurance policy provides.

Some additional guidance from the Security Advisor team below:

[King]: A risk assessment is a valuable tool in determining what type and how much cyber insurance an organization needs. After determining risks and applying mitigating controls to reduce those risks, an organization may decide the remaining risk is still higher than acceptable. Using the risk assessment, the organization will understand the impact and be able to purchase the appropriate cyber insurance to fill that gap.