Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


09:00 AM
Connect Directly

10 Things IT Probably Doesn't Know About Cyber Insurance

Understand the benefits and the pitfalls you might miss when evaluating cyber policies.

As more organizations start considering cyber insurance as one component of a fully fleshed-out IT security operations and risk management strategy, increasing numbers of IT executives and security leaders will be called upon to evaluate these policies. While the cyber insurance market has matured considerably over the last few years, this process can be daunting for the uninitiated.

"Policyholders need to critically review all language in their cyber policies," says Selena Linde, a partner with Perkins Coie LLP who practices insurance law. "With no standard ISO form, cyber policies are still the Wild West of insurance policies, and the language offered by the 50-plus carriers in this space changes monthly."

Dark Reading recently caught up with Linde and Jake Kouns of Risk Based Security, a firm that tracks breach and vulnerability information to sell to insurance underwriters. They both offered up salient points that many IT staffers likely have never considered about cyber policies -- both the benefits and the "gotchas" that might not always be apparent on first review.

Cyber insurance policies aren't magic
Kouns explains that, like any kind of insurance, cyber policies have the potential to include exclusions, narrow definitions, and other limits. The more of these limits, the less expensive the policy. They're simply a way to keep costs in check.

"This is common insurance stuff that has been going on for a long time," Kouns notes about the type of language that restricts coverage in various ways. Just because a potential policy has that language doesn't necessarily make it bad. What's bad is when an organization considers itself covered by insurance for a breach without understanding the limits of the policy.

"There are some policies out there that are not high quality, and then there are those that are really great options for transferring risk," Kouns says. "So you just need to understand what kind of data your company has and what sort of limits it might need to limit cost."

This is where an experienced broker can help

"Companies have been buying property insurance, workman's comp, and all of these other policies forever, and they have a broker or agent they buy them through. These brokers and agents are experts at picking the right policy, so use that expertise."

You're going to need to think more seriously about retroactive dates
As organizations dive into the language of their policies, one of the essential elements to consider is the retroactive date for a policy. Increasingly sneaky attacks are being found on corporate networks, which have been there for months or even years.

"Since experts have found that when a breach is discovered the hacker has usually had access to the system for more than 400 days, so negotiating early retroactive dates is critical," Linde says.

Terrorism/act of foreign enemy exclusions could sink you
In a car insurance or homeowner policy, an exclusion for acts of terror or foreign enemies may not be that big of a deal. But for cyber risk policies, these exclusions could be a real problem.

"With the majority of cyber attacks originating overseas and many of those believed to be state sponsored, how these exclusions are worded are critical to the value of the coverage," Linde says. "Companies need to negotiate the removal of these exclusions or carve-outs to these exclusions to ensure the coverage they purchase will indeed cover cyber attacks from outside the United States."

You're buying more than a claims payout
Insurance carriers don't make money by paying out claims.

"And if a claim comes in, it's in their best interest to get it closed as cheaply as possible," says Kouns.

Which is why organizations tend to get a lot more value from cyber insurance than the potential of a paid claim. Insurance companies will have on-staff and outsourced resources such as lawyers to help fight class-action lawsuits, security people to help advise about protections before breaches and incident response after breaches, and credit monitoring services to help consumers after a breach.

"As a part of your policy you get access to those capabilities to help you respond and recover," he says.

Even a minimal policy buys you a valuable partner
Often organizations will consider cyber liability policies an all-or-nothing affair. They'll want all the exclusions lifted from a policy but balk at the resulting price and ultimately choose not to buy anything at all. But given the resources insurance companies bring to the table, there may be room in the gray area for benefit.

"At the end of the day, just getting a lower amount of insurance will get you started and will get you access to all of those resources. So if you only have $1 million in coverage and your breach is $1.7 million, you're going to be on the hook for that extra money -- but guess what?" Kouns says. "You're going to get the negotiated rate from these different vendors instead of getting gouged by the security people who say, 'Oh, you're in a bad spot? OK, that'll be $500 an hour and I'll be camped out for five months.' "

Who you talk to after a breach could affect your claim
Because cyber insurance is such a new field, claims against such policies tend to have a higher rate of litigation attached to them than other more established insurance products. These legal struggles really depend on how language and intent is interpreted by the courts. This means that organizations must be very careful about whom they talk to and what they say early on in the process.

"What a policyholder says and to whom and how it is said may make the difference between a covered and an uncovered claim," says Linde. "Policyholders should be careful in the initial stages when characterizing their claims or discussing coverage with their insurance companies, their brokers, or any outside consultants."

In particular, policyholders have to be careful about discussing coverage issues with their brokers -- especially in email or IM.

"In many jurisdictions, communications with a broker are not subject to any privilege, and any unprotected communications may be discoverable if a coverage dispute ultimately arises," Linde warns.

Delaying notice is a potential claims killer
Once a breach is detected, don't wait too long to notify your insurer of the issue. How long you have will vary by policy, but some of them want to know as soon as 24 hours from public disclosure.

"Generally, however, notice must be provided between 30 and 90 days after the discovery of a breach," Linde says. "Failure to abide by the policies’ specific notice provisions may bar coverage in some jurisdictions, especially for claims-made policies."

Insurance companies are starting to reword policies to only cover "theft"
According to Linde, many policies are starting to include revised language that makes them only cover losses from theft of data. That could be dangerous for companies that suffer a data exposure from negligence such as an employee losing a laptop with sensitive data.

"Since negligence still accounts for close to one-third of cyber breaches, companies need to ensure they are covered regardless of how the data ultimately ended up in the wrong hands," she says.

Contractual liability exclusions might void your policy without action
"Insurance carriers often try to avoid coverage by arguing that contractual relationships with vendors, credit card companies, and banks act to void the purchased insurance in an event of a breach," Linde warns.

As companies evaluate their policies, they should keep an eye out for these kinds of exclusions. If they can't get them removed, they should "at a minimum carve them back," she recommends.

It's less expensive than you think
Given the prevalence and the costs associated with data breaches, cyber liability insurance is still "unbelievably" low, according to Kouns.

"Risk transfer is a legit option -- it works and it works really well a lot of times, and you get a lot services-wise, along with financial recovery, for the price," he says, explaining that even if it seems steep at first, there may be a way to craft policies with lower limits that make sense, depending on the organization. "You can right-size your policy."

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
10/27/2014 | 10:45:15 AM
Reduced premiums with proof of IT security protection
Ericka, during your conversations while researching this story, did you learn if insurance companies will offer discounts on premiums based upon the level of security protection that an organization has implemented?  
Marilyn Cohodas
Marilyn Cohodas,
User Rank: Strategist
10/24/2014 | 9:14:48 AM
Insurance brokers
I use an insurance broker for my home and car policies -- and the advice has been invaluable. I would assume the same should apply for cyberinsurance, but the industry is so new I would take great care in vetting a broker in this field. Makes me wonder how insurance brokers become cyberinsurance brokers. Do they come from an insurance background? A compliance background? A security/risk management background? 
Sara Peters
Sara Peters,
User Rank: Author
10/23/2014 | 4:55:56 PM
exceptions for terrorist acts
Ya know, I understand insurance companies choosing not to cover acts of terrorism or war, and in most cases, those types of activity are not a big issue. But as you say, Ericka, with the number of cyber-attacks that are presumed to be the acts of nation-states, cyber-insurance won't be very useful if it won't cover that stuff.
Sara Peters
Sara Peters,
User Rank: Author
10/23/2014 | 4:48:53 PM
GREAT list!
Good stuff, Ericka.  The one that sticks out to me most is the retroactive thing. So many attacks aren't discovered until months or years after they occurred. That's not something you need to think about with car insurance. I wonder if they look into "pre-existing conditions" like they do in health insurance.  :) 
FluBot Malware's Rapid Spread May Soon Hit US Phones
Kelly Sheridan, Staff Editor, Dark Reading,  4/28/2021
7 Modern-Day Cybersecurity Realities
Steve Zurier, Contributing Writer,  4/30/2021
How to Secure Employees' Home Wi-Fi Networks
Bert Kashyap, CEO and Co-Founder at SecureW2,  4/28/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-05-07
The affected product is vulnerable to integer overflow while parsing malformed over-the-air firmware update files, which may allow an attacker to remotely execute code on SimpleLink Wi-Fi (MSP432E4 SDK: v4.20.00.12 and prior, CC32XX SDK v4.30.00.06 and prior, CC13X0 SDK versions prior to v4.10.03, C...
PUBLISHED: 2021-05-07
The affected product is vulnerable to an integer overflow while processing HTTP headers, which may allow an attacker to remotely execute code on the SimpleLink Wi-Fi (MSP432E4 SDK: v4.20.00.12 and prior, CC32XX SDK v4.30.00.06 and prior, CC13X0 SDK versions prior to v4.10.03, CC13X2 and CC26XX SDK v...
PUBLISHED: 2021-05-07
Proofpoint Enterprise Protection (PPS/PoD) before 8.17.0 contains a vulnerability that could allow an attacker to deliver an email message with a malicious attachment that bypasses scanning and file-blocking rules. The vulnerability exists because messages with certain crafted and malformed multipar...
PUBLISHED: 2021-05-07
VMware vRealize Business for Cloud 7.x prior to 7.6.0 contains a remote code execution vulnerability due to an unauthorised end point. A malicious actor with network access may exploit this issue causing unauthorised remote code execution on vRealize Business for Cloud Virtual Appliance.
PUBLISHED: 2021-05-07
LivingLogic XIST4C before 0.107.8 allows XSS via feedback.htm or feedback.wihtm.