10 Costs Your Cyber Insurance Policy May Not Cover
All the things you might think are covered but that don't actually fall under most policies.
![](https://eu-images.contentstack.com/v3/assets/blt6d90778a997de1cd/blte4403356f868e489/64f0d701f4a5c53f30cb686c/insurance-intro.jpg?width=700&auto=webp&quality=80&disable=upscale)
If you handle enterprise security, chances are good you've purchased - or at least researched - cyber insurance coverage. After all, it's not a matter of "if" you'll be breached, but "when," and it's important to know you'll be covered when the time comes.
Cyber insurance is a relatively new field and coverage is evolving as the threat landscape shifts. Depending on your policy and the threat you're addressing, there are subtleties in your policy that may not be evident at first but are important to ask about when you're purchasing.
"Unlike your auto policy, which is pretty standard wherever you buy, there is very little continuity in the cyber insurance marketplace from policy to policy," says David Bradfod, chief strategy officer and director of strategic partner development at Advisen.
While you may know the basics of insurance policies, it's more difficult to navigate the details of each one. Which costs will be covered in the event of a data breach or cybeattack, and which won't? It's the kind of information you don't want to learn after an incident occurs.
"You always have to read the fine print and make sure you actually got the coverages you were expecting," says Samit Shah, insurance solutions manager at BitSight.
Roman Itskovich, co-founder and chief risk officer at cyber insurance startup At-Bay, points out that most brokers and insurers don't really know exactly how much coverage is needed in a specific event. Many break down policies so each aspect of a breach (legal, forensics, etc.) is covered for a certain amount. Other policies cover one amount to split amongst these services.
The trend is toward broader, more expensive coverage instead of restrictive policies. Even so, many costs related to cyber events still aren't covered by cyber insurance policies. Here's a rundown of things you may think are covered, but actually are not.
After a cyberattack occurs, the clock starts ticking. If your systems are back up and running within a reasonable timeframe, cyber insurance coverage generally will not apply. Most policies only kick in for critical situations in which systems are down for several hours or days. The average for cyber insurance is about eight hours of downtime, says Shah, and Itskovich ballparks the number around 10- to 12 hours. Even if you encounter business interruption for most of the workday, you may not be covered by your cyber insurance policy.
Some cyber insurance policies extend coverage to third-party providers, but many do not. When you define your company in your policy, be sure the definition includes any service providers your business uses.
"There are coverages out there that don't extend coverage to third parties or contractors," Shah points out. "It's very important to check that coverage does include them in the definition of the company itself."
Shah explains this in the context of a cloud storage leak: whether you receive coverage in the event of a leak depends on the situation. "If the company is found to have been negligent and there was an administrative error on their part for not configuring Amazon services, then coverage would not be there," he says. If configuration was done properly and Amazon lost data in a reboot or another incident, there would be coverage.
Typically this kind of negligent error is excluded from contracts, he says, but there is separate cyber insurance that covers this type of administrative mistake. When you do work with third-party services, make sure they are secure and taking the right steps as often as possible.
Most cyber insurance policies typically don't cover property damage or hardware replacement, says Shah. Digital assets coverage typically includes any kind of corruption or loss of material on a computer. This can be problematic if the data or hardware is so corrupt that it's more efficient to purchase new hardware and toss the old machine.
"People might think if you have ransomware, you'll get computers and servers replaced, but that isn't the case," he explains.
Business email compromise (BEC) attacks, in which executives are tricked into wiring money into outside accounts, and other forms of social engineering are not typically covered under most cyber insurance policies.
"A few policies have limited coverage but most will not respond to that," says Bradford, adding that social engineering isn't very different from other types of fraud. "If it's a concern, and it should be, [businesses] should make sure it's covered in commercial crime coverage."
Itskovich warns companies not to lump social engineering in with computer crime, which is covered under many policies. Social engineering happens more often than computer crime but isn't as commonly included in insurance policies.
"If you have a data breach and lose data, there's not a lot of ambiguity there," says Bradford. However, if a cyberattack hits a connected car or insulin pump, or a bug in manufacturing equipment leads to physical harm, most cyber insurance policies won't cover medical costs.
The issue is becoming bigger as we move into the "Internet of everything," he continues. "Increasingly connected objects have opportunities to cause physical damage or bodily injury."
While it's not available in most cyber insurance policies, this type of coverage can be purchased - but you have to know to ask for it. Bradford notes it's typically provided in "different conditions" policies or can be added to a regular cyber insurance policy.
Shah points out that while physical bodily injury is often not covered, some policies will cover emotional distress. If, for example, your medical provider is hacked and sensitive data is made public, you may receive compensation for emotional distress related to the incident.
When a company is hit with a credit card breach, cyber insurance policies often cover the process of notifying customers and regulators. They do not cover fines and penalties issued by the Payment Card Industry, which imposes its own fees following breaches.
When you decide to process payment cards as a company, you agree to certain rules, says Shah. If you violate those, there might be certain assessments you might be responsible for paying. Major card providers including Mastercard, American Express, and Visa will send in a forensics team to figure out what happened and charge for that, plus additional costs.
"Every day you're out of compliance they issue a fine," he explains. "Those are all in addition to notifications that your insurance program may or may not cover." He urges businesses to ask about this to ensure they have the fullest coverage, especially if this is an exposure they have.
Intellectual property theft and reputation damage are tricky coverage areas with growing demand. "Both of those are really difficult for insurers because it's hard to quantify the loss," says Bradford.
Right now coverage is "very, very limited - almost a kind of beta-experimental sort of basis," he continues. It's something insurers have avoided for a while but will be forced to address. If they don't offer this type of policy, their customers may take their business to competitors who do.
"It's perceived as one of the largest risks to doing business in cyberspace in a lot of companies, is that reputation impact," he adds.
Most businesses don't realize banks won't cover them if a successful account-takeover operation drains money from their account, says Bradford. Coverage is available for this, but it's something businesses need to seek out. He anticipates we'll see this area continue to develop further as more people are hit with these types of attacks.
Most businesses don't realize banks won't cover them if a successful account-takeover operation drains money from their account, says Bradford. Coverage is available for this, but it's something businesses need to seek out. He anticipates we'll see this area continue to develop further as more people are hit with these types of attacks.
If you handle enterprise security, chances are good you've purchased - or at least researched - cyber insurance coverage. After all, it's not a matter of "if" you'll be breached, but "when," and it's important to know you'll be covered when the time comes.
Cyber insurance is a relatively new field and coverage is evolving as the threat landscape shifts. Depending on your policy and the threat you're addressing, there are subtleties in your policy that may not be evident at first but are important to ask about when you're purchasing.
"Unlike your auto policy, which is pretty standard wherever you buy, there is very little continuity in the cyber insurance marketplace from policy to policy," says David Bradfod, chief strategy officer and director of strategic partner development at Advisen.
While you may know the basics of insurance policies, it's more difficult to navigate the details of each one. Which costs will be covered in the event of a data breach or cybeattack, and which won't? It's the kind of information you don't want to learn after an incident occurs.
"You always have to read the fine print and make sure you actually got the coverages you were expecting," says Samit Shah, insurance solutions manager at BitSight.
Roman Itskovich, co-founder and chief risk officer at cyber insurance startup At-Bay, points out that most brokers and insurers don't really know exactly how much coverage is needed in a specific event. Many break down policies so each aspect of a breach (legal, forensics, etc.) is covered for a certain amount. Other policies cover one amount to split amongst these services.
The trend is toward broader, more expensive coverage instead of restrictive policies. Even so, many costs related to cyber events still aren't covered by cyber insurance policies. Here's a rundown of things you may think are covered, but actually are not.
About the Author(s)
You May Also Like
CISO Perspectives: How to make AI an Accelerator, Not a Blocker
August 20, 2024Securing Your Cloud Assets
August 27, 2024