Jarrett Kolthoff | December 9th, 2018

Business Journal Ask the Expert Column

Is There Anything Specifically In Our Cyber Insurance Policy That Could Leave Our Company Exposed Or At Risk? Yes. Certainly. Without question. As the sophistication level of cyber criminals and bad actors increases, so too does the risk and potential for massive payouts and losses on the part of insurance companies.

While I don’t want to disparage insurance carriers—the industry provides a very necessary service—as a rule, they love to provide coverage and hate to pay claims. Armed with this rather harsh reality, you should comb through your policy carefully for “exclusions” and “exceptions.” These critical clauses, which are worded with calculated precision, can mean the difference between a claim that will be denied and a claim that will be properly paid without issue.

Toplining “exclusions” and “exceptions” without working closely with your underwriting team, and asking detailed questions of your provider, is the surest way to pay for a policy that leaves your company vulnerable, while providing a false sense of security.

What’s A Good Example Of An Exclusion That Could Place Our Company At Risk?

One very common exclusion many companies overlook, and we see regularly, deals with Social Engineering and Wire Fraud. Many employees tend to mix and match personal and business e-mail communications and regularly expose corporations with little regard for security.

Criminals and cyber predators often profile employees and look for weaknesses, with the compromise of e-mail almost always at the top of the list. Compromising employee credentials through malicious e-mail links or attachments are easy entry points for these nefarious characters, who can then penetrate networks and systems once they’ve compromised an innocent and unknowing employee. Once the criminals have hacked into the employee’s e-mail or computer, they can initiate a fraudulent financial transaction through social engineering or completely compromise a network.

Following a breach, if the insurance company can use digital forensics to prove a compromise, it may be covered under your policy. If it is determined that the wire fraud was conducted via Social Engineering, your claim could be denied if it is not specifically covered by your cyber policy.

How Should Our Company Approach Best Practices To Avoid Exposure Through An Insurance Policy Exclusion?

I always recommend a team approach, using outside resources, to help maximize defenses and exceed compliance standards and eliminate any ambiguous language or questionable exclusions in your cyber insurance policy.

Start by engaging a cyber counterintelligence firm, such as my company, SpearTip, that goes beyond first level monitoring and appliance installations. Then, align yourself with a law firm which has a deep background and thorough understanding of cybercrime, digital forensics and advanced technology. Make sure all parties can work together seamlessly, providing well-defined roles, duties and leadership protocols.

Use your cyber security company as your Security Operations Center (SOC) to detect current vulnerabilities and protect against future breaches, while also working to stay within the scope of your insurance policy. Employing a third-party resource to work with your internal IT, audit and security teams provides you dedicated access to better talent with greater knowledge of evolving threats and cybercrime fighting techniques and tools. It’s a practice which will save you money long-term and begin reducing risk on multiple fronts immediately.

As for your outside legal provider, make sure they can work on a team level with your cyber security provider. The two can review your insurance policies from different viewpoints to identify gaps, issues and key points in your coverage that should be addressed. You’ll also provide the foundation for a good working relationship, so that in the event of an internal or external breach, the two parties can share digital forensics duties, maximizing the skill sets of each.

Final Thoughts.

Managing cyber security represents the single greatest challenge facing any business today, given the complex nature of the “invisible” enemies targeting your organization. Adding the layer of complexity that insurance brings to the table, to ensure you have proper coverage, requires more insights than most organizations can muster internally. So, assemble your team wisely and comprehensively. In the end, it could save you millions and possibly even save your business from financial ruin. Don’t let the stakes intimidate you. Just make sure you don’t compromise on the talent of people you have protecting you.