Risk

1/23/2018
07:50 PM
Kelly Sheridan
Kelly Sheridan
Slideshows
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
50%
50%

10 Costs Your Cyber Insurance Policy May Not Cover

All the things you might think are covered but that don't actually fall under most policies.
Previous
1 of 11
Next

(Image: LidiaLydia via Shutterstock)

(Image: LidiaLydia via Shutterstock)

If you handle enterprise security, chances are good you've purchased - or at least researched - cyber insurance coverage. After all, it's not a matter of "if" you'll be breached, but "when," and it's important to know you'll be covered when the time comes.

Cyber insurance is a relatively new field and coverage is evolving as the threat landscape shifts. Depending on your policy and the threat you're addressing, there are subtleties in your policy that may not be evident at first but are important to ask about when you're purchasing.

"Unlike your auto policy, which is pretty standard wherever you buy, there is very little continuity in the cyber insurance marketplace from policy to policy," says David Bradfod, chief strategy officer and director of strategic partner development at Advisen.

While you may know the basics of insurance policies, it's more difficult to navigate the details of each one. Which costs will be covered in the event of a data breach or cybeattack, and which won't? It's the kind of information you don't want to learn after an incident occurs.

"You always have to read the fine print and make sure you actually got the coverages you were expecting," says Samit Shah, insurance solutions manager at BitSight.

Roman Itskovich, co-founder and chief risk officer at cyber insurance startup At-Bay, points out that most brokers and insurers don't really know exactly how much coverage is needed in a specific event. Many break down policies so each aspect of a breach (legal, forensics, etc.) is covered for a certain amount. Other policies cover one amount to split amongst these services.

The trend is toward broader, more expensive coverage instead of restrictive policies. Even so, many costs related to cyber events still aren't covered by cyber insurance policies. Here's a rundown of things you may think are covered, but actually are not.

 

 

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Previous
1 of 11
Next
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Volnut
50%
50%
Volnut,
User Rank: Apprentice
1/29/2018 | 8:41:17 AM
Re: 10 costs potentially covered
Thank you for your insights.
Joe Stanganelli
100%
0%
Joe Stanganelli,
User Rank: Ninja
1/25/2018 | 11:53:35 PM
Re: 10 costs not covered
I think the key word here is "May". If you think of it and you ask or negotiate, you can probably get it (albeit, perhaps, not at the price you want).

There is a complaint that smaller companies have less bargaining power than large enterprises, which may sometimes be true, but more often smaller or midsize companies are simply not thinking to ask very specifically for the things that large enterprises might consider routine.
PaulWaite
100%
0%
PaulWaite,
User Rank: Strategist
1/24/2018 | 11:18:11 PM
Cyber Cover Available
The costs that you have outlined and can be covered by one insurer. As stated you just need a broker that understands the various layers of complexity between various other businesss covers as well

We have designed a cyber product for the Australian market which is tailored to an organisationa actual risk and risk transference appetite. Simply put is is "Cyber by Design".
BrianN060
100%
0%
BrianN060,
User Rank: Ninja
1/24/2018 | 9:44:15 PM
Re: 10 costs potentially covered
@MC: I like your comment.  Don't agree with all your points; but they should be voiced - in a serious consideration of the proper role of insurance in cybersecurity corporate policy; and beyond the interests of an organization or industry.  There are macro-economic implications, and broad public and social consequences to what boils down to the responsibilities of data governance.

I don't think those can be properly enumerated and assessed in a string of comments.  Maybe it's enough that the article and comments inspire a closer look at the issues involved.  
mcavanaugh1
100%
0%
mcavanaugh1,
User Rank: Strategist
1/24/2018 | 1:59:26 PM
10 costs potentially covered
All 10 of the points provided can be covered under a Cyber Insurance policy through multiple insurance companies.  The issue should not be the problems with the policy but the problems with the agents & brokers selling the coverage.  Finding a broker or agent that understands the questions to ask, the carriers in the marketplace and the coverage to be added is the most important part of obtaining this coverage. Most of the issues we hear about claims being denied arise from an insurance agent that does not understand the coverage and simply places the insurance with the cheapest carrier on the table.  If your agent does not know how to get you a comprehensive insurance policy they should know who can get you one otherwise it is time for a new insurance agent.

Cybersecurity is a risk to be managed not solved.  Any comprehensive risk management program should incorporate IT security, Internal Policies, etc... as well as an Insurance policy to transfer the risk that cannot be removed through spending money on security. 
BrianN060
100%
0%
BrianN060,
User Rank: Ninja
1/24/2018 | 9:27:16 AM
10 costs not covered
Fine article, Kelly.  If typical, what's actually covered, they could write on a post-it note (it's the exclusions that would fill the binder).  Being flippant; but the facts presented should have many reconsidering reliance on insurance, over effective cybersecurity and data management/governance policies.   
Want Your Daughter to Succeed in Cyber? Call Her John
John De Santis, CEO, HyTrust,  5/16/2018
Don't Roll the Dice When Prioritizing Vulnerability Fixes
Ericka Chickowski, Contributing Writer, Dark Reading,  5/15/2018
Why Enterprises Can't Ignore Third-Party IoT-Related Risks
Charlie Miller, Senior Vice President, The Santa Fe Group,  5/14/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: "Security through obscurity"
Current Issue
Flash Poll
[Strategic Security Report] Navigating the Threat Intelligence Maze
[Strategic Security Report] Navigating the Threat Intelligence Maze
Most enterprises are using threat intel services, but many are still figuring out how to use the data they're collecting. In this Dark Reading survey we give you a look at what they're doing today - and where they hope to go.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-11311
PUBLISHED: 2018-05-20
A hardcoded FTP username of myscada and password of Vikuk63 in 'myscadagate.exe' in mySCADA myPRO 7 allows remote attackers to access the FTP server on port 2121, and upload files or list directories, by entering these credentials.
CVE-2018-11319
PUBLISHED: 2018-05-20
Syntastic (aka vim-syntastic) through 3.9.0 does not properly handle searches for configuration files (it searches the current directory up to potentially the root). This improper handling might be exploited for arbitrary code execution via a malicious gcc plugin, if an attacker has write access to ...
CVE-2018-11242
PUBLISHED: 2018-05-20
An issue was discovered in the MakeMyTrip application 7.2.4 for Android. The databases (locally stored) are not encrypted and have cleartext that might lead to sensitive information disclosure, as demonstrated by data/com.makemytrip/databases and data/com.makemytrip/Cache SQLite database files.
CVE-2018-11315
PUBLISHED: 2018-05-20
The Local HTTP API in Radio Thermostat CT50 and CT80 1.04.84 and below products allows unauthorized access via a DNS rebinding attack. This can result in remote device temperature control, as demonstrated by a tstat t_heat request that accesses a device purchased in the Spring of 2018, and sets a ho...
CVE-2018-11239
PUBLISHED: 2018-05-19
An integer overflow in the _transfer function of a smart contract implementation for Hexagon (HXG), an Ethereum ERC20 token, allows attackers to accomplish an unauthorized increase of digital assets by providing a _to argument in conjunction with a large _value argument, as exploited in the wild in ...