May 2019

The headlines have been filled recently with stories about cybersecurity insurance providers refusing to pay claims based on exclusionary language within their policies. These stories prompted a list of great questions worthy of sharing.

Our current cyber security insurance policy leaves our company exposed to significant risk. How can we be sure the policy we’re considering gives us the protection we need? Welcome to Pandora’s box. The fact that you have cyber insurance and understand you’re at risk tells me you at least have a cybersecurity risk management strategy in place . . . but you’ve got some serious decisions to make.

Cybersecurity insurance providers are becoming more savvy and are narrowing the focus within their policies to the point of microscopic detail. It’s how the industry works. The insurance companies want to help you minimize risk, while, at the same time, they work to minimize payouts. So, you need to make sure every hidden needle in the insurance haystack is fully defined, or you could be left with a claim that is refused, possibly resulting in litigation and potentially millions in unforeseen costs.

Include your third-party cybersecurity provider and legal counsel in your plan review, negotiations and execution. Bring in the experts, and I mean the heavy-hitters, from these two critical partners. They can help you make sure the plan presented suits your specific needs and covers the exact items you want to be insured. As policy language becomes more narrow, it’s easy to think you’re covered for items that are actually excluded. That being said, make sure your coverages outline, in detail, exactly what is covered and exactly when your coverage begins and ends. This way, you can satisfy your organizational risk quotient, as well as satisfying legal requirements and any specific designations required for your industry. Lastly, consider hiring an independent cybersecurity insurance broker or consultant, who works on your behalf on a fee-only basis, with no commission or consideration from the insurance companies.

I’ve read nightmare stories about cyber insurance claims being denied. What can we do to guard against denial if we’re ever breached? Whether you hire SpearTip or another cybersecurity provider, make sure both their Incident Response and Digital Forensics teams are highly skilled and adept at evidence discovery, handling, cataloging and more. Equally important, make sure the team can present findings in plain, concise, easy-to-understand language. Stellar Incident Response and Digital Forensics teams can save your organization millions of dollars in denied claims and potentially save your business. One final thought on Digital Forensics: Consider a rider on your insurance that covers all costs related to Digital Forensics. Otherwise, you could lose a substantial portion of your claim to the process of finding out how and when the incident in question actually happened.

Reviewing cybersecurity insurance plans is overwhelming. Is there anything in particular you recommend your clients to look for? There are three provisions I always urge our clients to review carefully.

1. When is coverage triggered? Is the policy written on an “occurrence” basis or a “claims-made” basis? On an “occurrence” basis, the breach must occur during the policy period; however, on a “claims-made” basis the breach must be reported during your policy period. Understanding the difference in policies is absolutely critical when you consider that most companies don’t discover a breach until at least 6 months (at the minimum!) after the breach has occurred. Additionally, many “claims-made” policies require that the breach both happens and is reported during the coverage period. The degree of splitting hairs in this particular area can reach the level of being ridiculous, so get as much detail as possible.

2. Are the actions of a malicious insider covered, or must an incident come from an outside third party? While the acts of rogue outsiders make the headlines, the most dangerous threats often come from insiders who want to pirate away IP, embezzle funds, damage both personal and company reputations, or destroy assets. Complicating the matter, even more, is the outside threat who purposely gets himself/herself hired for the singular purpose of infiltrating your organization for criminal purposes. At what point, then, is the person considered an insider or an outsider by your insurance provider? Is intent a qualifying factor? If so, how can it be proven?

3. Does the policy require your organization to maintain agreed upon cybersecurity standards? How and by whom are these standards measured? This is the type of gray area insurers use to wriggle out of paying claims. Make sure standards are strictly defined to the last detail. Otherwise, the standards can be open to interpretation, which puts you at an extreme disadvantage.

Just remember, disputes between policyholders and insurers are inevitable when it comes to cybersecurity insurance. The insurance companies will always attempt to strictly construe policies to minimize payouts because their losses have simply become overwhelming. So be prepared, and be organized. How you handle cybersecurity insurance could mean the difference in recovering from a breach or your business facing a significant financial loss.