Raymond Pompon also contributed to this article.
Those of us with experience in IT security know there are some risks we just can’t mitigate. In such cases, many of us seek out risk transference through cyber insurance. But, some of us had a rude awakening when we found out that the coverage we’ve spent tens of thousands (or even millions) of dollars a year on fails to honor our claim.
This is exactly what happened with Ameriforge Group, a victim of an email scam in which a company’s chief executive was impersonated. The losses to Ameriforge were worth nearly half a million dollars. But the insurance carrier claimed the company’s coverage was for forgery of financial instruments, not fraudulent emails that executives were tricked into following.
This story is not an aberration. For the past year, F5 lab researchers have heard many CISOs complain that cyber insurance isn’t to be trusted at face value. One prominent CISO, who chose to remain anonymous, flat out told us, "Cyber insurance is B.S.," adding, "No one will actually cover claims. It gives you a false sense of control."
Although every CISO might not believe the situation is quite that dire, the number of of corporate attorneys who understand the nuances of cyber insurance are few. Without qualified legal help, you can easily find yourself without a safety net when you need it most.
What kind of coverage gaps are people seeing? One of the most obvious is the base deductible. Some policies vary the deductible amount based on the type of loss, and some losses aren’t covered unless they exceed $500,000. In other cases, organizations wrongly think their standard business loss insurance covers cyber loss. In a 2013 case, a hacked company was denied payment because its policy applied to property damage—and electronic data wasn’t considered "tangible property."
There are subtler forms of coverage gaps, as well. In the world of business loss and the law, there are different classes of damages, depending on when and how they occur. In a 2016 case, a restaurant chain’s cyber insurance covered direct damages of a data breach, but left the restaurant high and dry for millions of dollars in fees and assessments associated with fraudulent credit card chargebacks.
The savvy CISO should do a detailed impact analysis for all major threat scenarios before shopping for cyber insurance. The list of possible impacts can include:
- Direct monetary losses from electronic theft, phishing, email scam, or other types of cybercrime.
- Losses due to cyber extortion, such as DDoS blackmail or ransomware.
- Losses related to mitigating and investigating an incident, including computer forensics and consultants.
- Losses due to downtime, which includes customer revenue, worker productivity, and increased operational costs.
- Loss or damage to data or software, including costs associated with replacing, patching, recreating, or restoring things to the way they were before the incident.
- Expenses associated with remediation activities, such as new control purchases, application design enhancements, monitoring, supporting staff, etc.
- Expenses associated with customer breach notification, including public relations, legal consultation, postage fees, and telephone support.
- Expenses associated with customer compensation because of the incident, including credit monitoring, service level agreement penalties, refunds, and contractual violations.
- Expenses related to liability exposures due to the incident, such as investigator fees, legal defense costs, and civil court damage costs.
- Expenses due to third-party liability exposures, including loss or corruption of third-party data or service.
Sometimes cyber insurance claims are denied because an organization disqualified itself. A hospital group’s claim for losses associated with a privacy breach was turned down because its systems were not properly patched. The hospital group had claimed on its application form to be performing many standard secure practices, but those practices had lapsed. This was sufficient reason for the insurer to deny payment.
Applying for insurance can sometimes be a grueling process involving detailed questionnaires and lengthy technical interviews. During this time, organizational responses must be complete and honest, otherwise the viability of the insurance contract could be annulled.
This is a significant risk in cyber insurance because many IT security practices are not 100% perfect, and occasionally there are operational lapses. One cyber insurance company rejected a claim because a user fell for a phishing attack. The insurance company ruled that the access was "authorized," even though the victim was tricked into giving the authorization.
CISOs should know all the possible impacts and costs of a breach and match them to their cyber insurance policies. Having legal help from someone with deep expertise in this area is a prudent investment before purchasing. Whatever cyber insurance policies you purchase, make sure to read the fine print very carefully rather than assuming a policy provides the right coverage.