Operations

10/23/2014
09:00 AM
Connect Directly
Twitter
Twitter
RSS
E-Mail
50%
50%

10 Things IT Probably Doesn't Know About Cyber Insurance

Understand the benefits and the pitfalls you might miss when evaluating cyber policies.

As more organizations start considering cyber insurance as one component of a fully fleshed-out IT security operations and risk management strategy, increasing numbers of IT executives and security leaders will be called upon to evaluate these policies. While the cyber insurance market has matured considerably over the last few years, this process can be daunting for the uninitiated.

"Policyholders need to critically review all language in their cyber policies," says Selena Linde, a partner with Perkins Coie LLP who practices insurance law. "With no standard ISO form, cyber policies are still the Wild West of insurance policies, and the language offered by the 50-plus carriers in this space changes monthly."

Dark Reading recently caught up with Linde and Jake Kouns of Risk Based Security, a firm that tracks breach and vulnerability information to sell to insurance underwriters. They both offered up salient points that many IT staffers likely have never considered about cyber policies -- both the benefits and the "gotchas" that might not always be apparent on first review.

Cyber insurance policies aren't magic
Kouns explains that, like any kind of insurance, cyber policies have the potential to include exclusions, narrow definitions, and other limits. The more of these limits, the less expensive the policy. They're simply a way to keep costs in check.

"This is common insurance stuff that has been going on for a long time," Kouns notes about the type of language that restricts coverage in various ways. Just because a potential policy has that language doesn't necessarily make it bad. What's bad is when an organization considers itself covered by insurance for a breach without understanding the limits of the policy.

"There are some policies out there that are not high quality, and then there are those that are really great options for transferring risk," Kouns says. "So you just need to understand what kind of data your company has and what sort of limits it might need to limit cost."

This is where an experienced broker can help

"Companies have been buying property insurance, workman's comp, and all of these other policies forever, and they have a broker or agent they buy them through. These brokers and agents are experts at picking the right policy, so use that expertise."

You're going to need to think more seriously about retroactive dates
As organizations dive into the language of their policies, one of the essential elements to consider is the retroactive date for a policy. Increasingly sneaky attacks are being found on corporate networks, which have been there for months or even years.

"Since experts have found that when a breach is discovered the hacker has usually had access to the system for more than 400 days, so negotiating early retroactive dates is critical," Linde says.

Terrorism/act of foreign enemy exclusions could sink you
In a car insurance or homeowner policy, an exclusion for acts of terror or foreign enemies may not be that big of a deal. But for cyber risk policies, these exclusions could be a real problem.

"With the majority of cyber attacks originating overseas and many of those believed to be state sponsored, how these exclusions are worded are critical to the value of the coverage," Linde says. "Companies need to negotiate the removal of these exclusions or carve-outs to these exclusions to ensure the coverage they purchase will indeed cover cyber attacks from outside the United States."

You're buying more than a claims payout
Insurance carriers don't make money by paying out claims.

"And if a claim comes in, it's in their best interest to get it closed as cheaply as possible," says Kouns.

Which is why organizations tend to get a lot more value from cyber insurance than the potential of a paid claim. Insurance companies will have on-staff and outsourced resources such as lawyers to help fight class-action lawsuits, security people to help advise about protections before breaches and incident response after breaches, and credit monitoring services to help consumers after a breach.

"As a part of your policy you get access to those capabilities to help you respond and recover," he says.

Even a minimal policy buys you a valuable partner
Often organizations will consider cyber liability policies an all-or-nothing affair. They'll want all the exclusions lifted from a policy but balk at the resulting price and ultimately choose not to buy anything at all. But given the resources insurance companies bring to the table, there may be room in the gray area for benefit.

"At the end of the day, just getting a lower amount of insurance will get you started and will get you access to all of those resources. So if you only have $1 million in coverage and your breach is $1.7 million, you're going to be on the hook for that extra money -- but guess what?" Kouns says. "You're going to get the negotiated rate from these different vendors instead of getting gouged by the security people who say, 'Oh, you're in a bad spot? OK, that'll be $500 an hour and I'll be camped out for five months.' "

Who you talk to after a breach could affect your claim
Because cyber insurance is such a new field, claims against such policies tend to have a higher rate of litigation attached to them than other more established insurance products. These legal struggles really depend on how language and intent is interpreted by the courts. This means that organizations must be very careful about whom they talk to and what they say early on in the process.

"What a policyholder says and to whom and how it is said may make the difference between a covered and an uncovered claim," says Linde. "Policyholders should be careful in the initial stages when characterizing their claims or discussing coverage with their insurance companies, their brokers, or any outside consultants."

In particular, policyholders have to be careful about discussing coverage issues with their brokers -- especially in email or IM.

"In many jurisdictions, communications with a broker are not subject to any privilege, and any unprotected communications may be discoverable if a coverage dispute ultimately arises," Linde warns.

Delaying notice is a potential claims killer
Once a breach is detected, don't wait too long to notify your insurer of the issue. How long you have will vary by policy, but some of them want to know as soon as 24 hours from public disclosure.

"Generally, however, notice must be provided between 30 and 90 days after the discovery of a breach," Linde says. "Failure to abide by the policies’ specific notice provisions may bar coverage in some jurisdictions, especially for claims-made policies."

Insurance companies are starting to reword policies to only cover "theft"
According to Linde, many policies are starting to include revised language that makes them only cover losses from theft of data. That could be dangerous for companies that suffer a data exposure from negligence such as an employee losing a laptop with sensitive data.

"Since negligence still accounts for close to one-third of cyber breaches, companies need to ensure they are covered regardless of how the data ultimately ended up in the wrong hands," she says.

Contractual liability exclusions might void your policy without action
"Insurance carriers often try to avoid coverage by arguing that contractual relationships with vendors, credit card companies, and banks act to void the purchased insurance in an event of a breach," Linde warns.

As companies evaluate their policies, they should keep an eye out for these kinds of exclusions. If they can't get them removed, they should "at a minimum carve them back," she recommends.

It's less expensive than you think
Given the prevalence and the costs associated with data breaches, cyber liability insurance is still "unbelievably" low, according to Kouns.

"Risk transfer is a legit option -- it works and it works really well a lot of times, and you get a lot services-wise, along with financial recovery, for the price," he says, explaining that even if it seems steep at first, there may be a way to craft policies with lower limits that make sense, depending on the organization. "You can right-size your policy."

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
MaryR860
50%
50%
MaryR860,
User Rank: Apprentice
10/27/2014 | 10:45:15 AM
Reduced premiums with proof of IT security protection
Ericka, during your conversations while researching this story, did you learn if insurance companies will offer discounts on premiums based upon the level of security protection that an organization has implemented?  
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
10/24/2014 | 9:14:48 AM
Insurance brokers
I use an insurance broker for my home and car policies -- and the advice has been invaluable. I would assume the same should apply for cyberinsurance, but the industry is so new I would take great care in vetting a broker in this field. Makes me wonder how insurance brokers become cyberinsurance brokers. Do they come from an insurance background? A compliance background? A security/risk management background? 
Sara Peters
50%
50%
Sara Peters,
User Rank: Author
10/23/2014 | 4:55:56 PM
exceptions for terrorist acts
Ya know, I understand insurance companies choosing not to cover acts of terrorism or war, and in most cases, those types of activity are not a big issue. But as you say, Ericka, with the number of cyber-attacks that are presumed to be the acts of nation-states, cyber-insurance won't be very useful if it won't cover that stuff.
Sara Peters
50%
50%
Sara Peters,
User Rank: Author
10/23/2014 | 4:48:53 PM
GREAT list!
Good stuff, Ericka.  The one that sticks out to me most is the retroactive thing. So many attacks aren't discovered until months or years after they occurred. That's not something you need to think about with car insurance. I wonder if they look into "pre-existing conditions" like they do in health insurance.  :) 
6 Ways Greed Has a Negative Effect on Cybersecurity
Joshua Goldfarb, Co-founder & Chief Product Officer, IDRRA ,  6/11/2018
Weaponizing IPv6 to Bypass IPv4 Security
John Anderson, Principal Security Consultant, Trustwave Spiderlabs,  6/12/2018
'Shift Left' & the Connected Car
Rohit Sethi, COO of Security Compass,  6/12/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Flash Poll
The State of IT and Cybersecurity
The State of IT and Cybersecurity
IT and security are often viewed as different disciplines - and different departments. Find out what our survey data revealed, read the report today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-12026
PUBLISHED: 2018-06-17
During the spawning of a malicious Passenger-managed application, SpawningKit in Phusion Passenger 5.3.x before 5.3.2 allows such applications to replace key files or directories in the spawning communication directory with symlinks. This then could result in arbitrary reads and writes, which in tur...
CVE-2018-12027
PUBLISHED: 2018-06-17
An Insecure Permissions vulnerability in SpawningKit in Phusion Passenger 5.3.x before 5.3.2 causes information disclosure in the following situation: given a Passenger-spawned application process that reports that it listens on a certain Unix domain socket, if any of the parent directories of said ...
CVE-2018-12028
PUBLISHED: 2018-06-17
An Incorrect Access Control vulnerability in SpawningKit in Phusion Passenger 5.3.x before 5.3.2 allows a Passenger-managed malicious application, upon spawning a child process, to report an arbitrary different PID back to Passenger's process manager. If the malicious application then generates an e...
CVE-2018-12029
PUBLISHED: 2018-06-17
A race condition in the nginx module in Phusion Passenger 3.x through 5.x before 5.3.2 allows local escalation of privileges when a non-standard passenger_instance_registry_dir with insufficiently strict permissions is configured. Replacing a file with a symlink after the file was created, but befor...
CVE-2018-12071
PUBLISHED: 2018-06-17
A Session Fixation issue exists in CodeIgniter before 3.1.9 because session.use_strict_mode in the Session Library was mishandled.