It’s easy to see why cyber insurance has become must-have coverage for millions of American companies. 

With the threat landscape changing faster than ever, with regulatory penalties growing real teeth, with court decisions sending mixed messages, carrying robust cyber insurance is more important than ever.

But understanding what your insurance company will and will not cover is no less critical. Be especially wary of the policy’s exclusions. In one noted example, an insurance company sought to recover payouts on a customer’s data breach claim by pointing to a policy exclusion clause which read, “failure of an Insured to continuously implement the procedures and risk controls identified in the Insured’s application.”

In other words, the customer thought they were purchasing a policy that would protect them in the unexpected event that their internal controls failed, only to find out that the policy specifically excluded coverage if the customer failed to continuously implement those very controls. Ouch.

What’s Covered (And What’s Not) 

The typical cyber insurance policy will cover both first-party and third-party costs in the following instances:

• Theft or destruction of data.
• Loss of business uptime due to denial of service incidents or attacks. (There is often a minimum time component, so read your policy carefully.)
• Transmission of viruses or malware.
• Personal information (PII or PHI) exposed by disgruntled employees, hackers, or lost or stolen devices.
• Unauthorized access.
• Ransomware, or other means of cyber extortion.

First-party costs include legal fees related to understanding your corporate obligations, public relations in the breach’s aftermath, mandatory credit monitoring offered to victims, forensic investigation, lost revenue during network downtime, and, most significantly, notification costs.

Third-party costs might include fines and penalties, settlements and judgments, costs related to providing responses to regulators, liability to banks for reissuing payment cards, and, of course, legal fees.

Again, make sure you have a clear understanding of the policy’s specific (and general) exclusions.

The following items are NOT covered:

• Damage to your business’s reputation.
• The cost of fortifying your network and information security.
• The wanton destruction of your company’s reputation.
• Loss of future business if clients leave you after notification.
• The complete and utter mutilation of your organization’s reputation.

(Care to guess what we think is the most important hole in your cyber insurance coverage?)

A number of current clients first came to us in the aftermath of data breach. Many carried cyber insurance, and most were compliant with regulations, but they had done little else to protect their information assets.

This is the technology equivalent of avoiding the doctor (and the gym) while consuming 8,000 calories a day, because, what the heck, you’ve got health insurance. What could go wrong?

If you need an affordable approach to maintaining compliance, we have some of those. If you need proven methods of strengthening your network’s defenses, we’ve built a 30-year track record of doing exactly that, at small-business prices that will (pleasantly) surprise you.

And if you just want straight answers and field-tested ideas about cybersecurity, give us a call.

Categories: Current News and Events, Data Security, Managed Security, SLPowers