Cyber Insurance: Worth the Money?

Uploaded on 2015-04-09 in NEWS-Cybersecurity News, FREE TO VIEW, BUSINESS-Services-Financial

Cyber security concerns and massive data breaches are part of our daily news cycle. As a result, companies of every size and industry are carefully examining their cyber security preparedness, both as a matter of good business and because they are being forced to do so by regulators and their customer and client base. An integral part of that self-reflection process is (or at least should be) the availability of insurance coverage for the risks presented by security breaches.
Some companies have purchased “dedicated” cyber insurance policies that provide coverage for first-party and third-party risk exposures. Other companies are still in the evaluation phase and are appropriately wondering whether such policies are needed, and, if so, whether insurers are paying claims under them.
Are We Covered for That?
At present, the only meaningful generality that can be made about the scope of coverage available under a dedicated cyber policy is that there is no “standard” coverage available. Several different insurers are offering cyber liability coverage and the nature of what is covered versus what is not varies significantly.
In addition, many of these policies include a series of coverage enhancements that can be added to the policy, sometimes at no additional premium. But the policyholder must be a savvy consumer who makes the right “ask” and has a good handle on the risks that it is seeking to insure.
For example, some insurers are willing to provide coverage for PCI-DSS assessments while other insurers are not. Moreover, many insurers willing to provide coverage for this type of claim will not provide “full limit” coverage for the risk exposure and instead will place a “sub-limit” for such claims.
The insurer’s willingness to provide this coverage, and the extent of limit available for it, will depend on the number of records handled, the strength of the insured’s existing procedures to prevent security breaches, and the data breach claims history.
We are still in the very early stages of evaluating the claims history associated with cyber insurance policies. For the past several years, insurers have been grappling with how to underwrite the risks that will be insured, how to offer the “right” limits, and how to appropriately price the policies, both in terms of premiums and self-insured retentions.
So far, there is anecdotal evidence to support the proposition that some of the headline-grabbing data breaches involved recovery of at least some cyber insurance. But we have not yet seen the emergence of hotly contested coverage litigation associated with new cyber insurance policies. Rather, most court battles addressing security and data breaches continue to focus on the availability of coverage under “traditional” insurance policies.
In some instances, we have seen insurers pay a claim because there was an extremely low sub-limit and the insurer recognized that the scope of the loss far exceeded any coverage fight worth having. In other instances, we have seen policyholders manage the size and scope of the risk to a level that stays within the (often very high) self-insured retention such that the insurer is not required to pay.
But earlier this year, there was an interesting lawsuit filed that suggests insurers may be prepared to pay their insured’s’ claims and then pursue recovery from responsible third parties. In that case, Travelers Casualty and Surety Co. of America paid a claim submitted by its policyholder for a security breach that resulted from a hacking event.
The policyholder, Alpine Bank, had hired a professional designer to design the company’s website and maintain the host server. Hackers accessed the website and gained entry to customer information. As a result, the policyholder was required to incur significant breach-notification costs.
Travelers paid the claim and then sued the designer, alleging that the designer failed to place basic anti-malware software on the server and failed to maintain adequate encryption controls over the customer data. It is premature to predict the outcome of the lawsuit. Nevertheless, it does offer some hope that insurers intend to stand by the coverage provided under cyber policies and then take up the fight to pursue responsible third parties for breach events.
There are two critically important steps that companies must take to maximize the likelihood and amount of their insurance recovery under cyber policies.
First, companies must take great care to conduct detailed and comprehensive due diligence during the application process of buying the cyber policies. Many insurers are requiring prospective insured’s to supply a warranty letter along with a formal insurance application before issuing the cyber policy. Policyholders are well served to provide more information from the appropriate constituencies in connection with these requirements. Robust disclosure will reduce an insurer’s attempt to cry “foul” after a loss has occurred.
Second, companies must understand the importance of providing timely written notice after a loss, even if the loss may not exceed the retention. The new cyber policies are written on a “claims-made” basis such that a delay in providing notice of the claim may result in complete forfeiture of coverage. Moreover, insurers will not give credit to dollar amounts spent against the retention unless and until they are on notice of a claim.

CFO: http://ow.ly/LnRBK

« Seeing Your Business Through the Eyes of a Hacker
Proactive Cyber Security Strategies Improve Security Effectiveness »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall (and why does it matter)?

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall (and why does it matter)?

Watch this webinar to hear security experts from Amazon Web Services (AWS) and SANS break down the myths and realities of what an NGFW is, how to use one, and what it can do for your security posture.

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

Cloud Credential Council (CCC)

Cloud Credential Council (CCC)

The CCC is a leading provider of vendor-neutral certification programs that empower IT and business professionals in their digital transformation journey.

IntaForensics

IntaForensics

IntaForensics offer a full range of digital investigation services and are able to adapt to the individual needs of solicitors, private clients, Law Enforcement Agencies and commercial businesses.

Alliance for Cyber Security (ACS)

Alliance for Cyber Security (ACS)

An alliance of all major players in the field of cyber security in Germany with a mission to strengthen Germany’s resistance to cyber-attacks.

Ahope

Ahope

Ahope is a mobile security solution provider in Korea with a long history of security solution development.

CyBOK - University of Bristol

CyBOK - University of Bristol

CyBOK is a comprehensive Body of Knowledge to inform and underpin education and professional training for the cyber security sector.

HackHunter

HackHunter

HackHunter’s passive sensor network continuously monitors, detects and alerts when a malicious WiFi network and/or hacking behaviour is identified.

Early Birds

Early Birds

Early Birds is a Business to Business (B2B) marketplace for Innovators (Startups/Scaleups) and Early Adopters to exchange value early on.

Trava Security

Trava Security

Trava simplifies cyber risk management for business owners and IT professionals. Automated assessments, mitigation advising, and data-driven cyber insurance.

Blok Cyber Security

Blok Cyber Security

Blok provide small businesses and sole traders, with affordable, managed Cyber Security Packages that offer immediate protection and peace of mind.

TXOne Networks

TXOne Networks

TXOne Networks offer cybersecurity solutions to protect your industrial control systems to ensure their reliability and safety from cyberattacks.

BDO Global

BDO Global

BDO is an international network of public accounting, tax and advisory firms which perform professional services under the name of BDO.

Support Link Technologies (SLT)

Support Link Technologies (SLT)

Support Link Technologies are an IT Solutions Company committed to achieving customer satisfaction through excellent customer service.

inWebo

inWebo

inWebo is the specialist in multi-factor strong authentication (MFA). We guarantee the security of data and identities in a digital world with increasingly important economic and political stakes.

Nclose

Nclose

Nclose is a proudly South African cyber security specialist that has been securing leading enterprises and building our security portfolio since 2006.

PixelQA

PixelQA

Are you looking for a security testing company to cross-check whether your software or mobile app has a possible security threat or not?

Aegis Cyber Defense Systems

Aegis Cyber Defense Systems

AEGIS is a powerful cybersecurity tool that can help protect your devices and networks from cyber threats, and increase performance.