Partner Perspectives  Connecting marketers to our tech communities.
SPONSORED BY
6/15/2017
11:00 AM
Sara Boddy
Sara Boddy
Partner Perspectives
Connect Directly
Twitter
LinkedIn
RSS
50%
50%

Cyber Insurance: Read the Fine Print!

Applying for insurance is a grueling process involving detailed questionnaires and lengthy technical interviews that can still leave you without an adequate safety net.

Raymond Pompon also contributed to this article.

Those of us with experience in IT security know there are some risks we just can’t mitigate. In such cases, many of us seek out risk transference through cyber insurance. But, some of us had a rude awakening when we found out that the coverage we’ve spent tens of thousands (or even millions) of dollars a year on fails to honor our claim.

This is exactly what happened with Ameriforge Group, a victim of an email scam in which a company’s chief executive was impersonated. The losses to Ameriforge were worth nearly half a million dollars. But the insurance carrier claimed the company’s coverage was for forgery of financial instruments, not fraudulent emails that executives were tricked into following.

This story is not an aberration. For the past year, F5 lab researchers have heard many CISOs complain that cyber insurance isn’t to be trusted at face value. One prominent CISO, who chose to remain anonymous, flat out told us, "Cyber insurance is B.S.," adding, "No one will actually cover claims. It gives you a false sense of control."

Although every CISO might not believe the situation is quite that dire, the number of of corporate attorneys who understand the nuances of cyber insurance are few. Without qualified legal help, you can easily find yourself without a safety net when you need it most.

Coverage Gaps
What kind of coverage gaps are people seeing? One of the most obvious is the base deductible. Some policies vary the deductible amount based on the type of loss, and some losses aren’t covered unless they exceed $500,000. In other cases, organizations wrongly think their standard business loss insurance covers cyber loss. In a 2013 case, a hacked company was denied payment because its policy applied to property damage—and electronic data wasn’t considered "tangible property."

There are subtler forms of coverage gaps, as well. In the world of business loss and the law, there are different classes of damages, depending on when and how they occur. In a 2016 case, a restaurant chain’s cyber insurance covered direct damages of a data breach, but left the restaurant high and dry for millions of dollars in fees and assessments associated with fraudulent credit card chargebacks.

The savvy CISO should do a detailed impact analysis for all major threat scenarios before shopping for cyber insurance. The list of possible impacts can include:

  • Direct monetary losses from electronic theft, phishing, email scam, or other types of cybercrime.
  • Losses due to cyber extortion, such as DDoS blackmail or ransomware.
  • Losses related to mitigating and investigating an incident, including computer forensics and consultants.
  • Losses due to downtime, which includes customer revenue, worker productivity, and increased operational costs.
  • Loss or damage to data or software, including costs associated with replacing, patching, recreating, or restoring things to the way they were before the incident.
  • Expenses associated with remediation activities, such as new control purchases, application design enhancements, monitoring, supporting staff, etc.
  • Expenses associated with customer breach notification, including public relations, legal consultation, postage fees, and telephone support.
  • Expenses associated with customer compensation because of the incident, including credit monitoring, service level agreement penalties, refunds, and contractual violations.
  •  Expenses related to liability exposures due to the incident, such as investigator fees, legal defense costs, and civil court damage costs.
  • Expenses due to third-party liability exposures, including loss or corruption of third-party data or service.

Disqualifiers
Sometimes cyber insurance claims are denied because an organization disqualified itself. A hospital group’s claim for losses associated with a privacy breach was turned down because its systems were not properly patched. The hospital group had claimed on its application form to be performing many standard secure practices, but those practices had lapsed. This was sufficient reason for the insurer to deny payment.

Applying for insurance can sometimes be a grueling process involving detailed questionnaires and lengthy technical interviews. During this time, organizational responses must be complete and honest, otherwise the viability of the insurance contract could be annulled.

This is a significant risk in cyber insurance because many IT security practices are not 100% perfect, and occasionally there are operational lapses.  One cyber insurance company rejected a claim because a user fell for a phishing attack. The insurance company ruled that the access was "authorized," even though the victim was tricked into giving the authorization.

CISOs should know all the possible impacts and costs of a breach and match them to their cyber insurance policies. Having legal help from someone with deep expertise in this area is a prudent investment before purchasing. Whatever cyber insurance policies you purchase, make sure to read the fine print very carefully rather than assuming a policy provides the right coverage.

Get the latest application threat intelligence from F5 Labs.

 

Sara Boddy currently leads F5 Labs, F5 Networks' threat intelligence reporting division. She came to F5 from Demand Media where she was the Vice President of Information Security and Business Intelligence. Sara ran the security team at Demand Media for 6 years, covering all ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
mcavanaugh1
100%
0%
mcavanaugh1,
User Rank: Strategist
6/20/2017 | 1:12:18 PM
Cyber Insurance
While I understand the intent of the article, the majority of the information is only part of the picture. First, many of these suits and declinations of coverage were filed under insurance policies that were never intended to cover these exposures specifically Crime & Commercial General Liability insurance policies.  The expectation that a CGL policy designed to cover bodily injury and property damage should also cover these types of exposures is ridiculous. It would be similar to filing a claim for an auto accident under your homeowner's insurance policy.  

Second, the examples of social engineering, phishing and the lack of coverage should fall more on the insurance agent or broker that placed the coverage. While this coverage may not have been available in January of 2016 (Krebs Article), September of 2015 (BitPay), June of 2016 (PF Changs), and August of 2013 (Schnucks) they are currently available in the marketplace and have been for quite some time.  This coverage is readily available from several insurance companies on a cyber liability insurance policy for most industries although the insurance agent may have to request the coverage to specifically be added. The truth is that a correctly written cyber liability insurance policy can respond to everything that was mentioned in the 10 bullet points outlined in the article.  Also, many carriers are writing comprehensive policies that will cover everything with a minimum premium of $1,000 (less for some industries) with a deductible of $1,000 to start.  This can include the cyber-crime coverage needed in two of the examples (Krebs & BitPay) linked to in the article.  

I definitely agree that a company contemplating purchasing a policy should read the fine print; however, the first step should be finding an insurance agent or broker that understands the coverage. A cyber liability insurance policy should complement the risk management measures in place with the mindset of viewing the policy as a service. Many carriers will provide risk management services to a policyholder before and after an event with the goal of making their policyholder more secure.
RIP, 'IT Security'
Kevin Kurzawa, Senior Information Security Auditor,  11/13/2018
Understanding Evil Twin AP Attacks and How to Prevent Them
Ryan Orsi, Director of Product Management for Wi-Fi at WatchGuard Technologies,  11/14/2018
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
F5 makes apps go-faster, smarter, and safer. With solutions for the cloud and the data center, F5 technology provides unparalleled visibility and control, allowing customers to secure their users, applications, and data. For more information, visit www.f5.com.
Featured Writers
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-17906
PUBLISHED: 2018-11-19
Philips iSite and IntelliSpace PACS, iSite PACS, all versions, and IntelliSpace PACS, all versions. Default credentials and no authentication within third party software may allow an attacker to compromise a component of the system.
CVE-2018-9209
PUBLISHED: 2018-11-19
Unauthenticated arbitrary file upload vulnerability in FineUploader php-traditional-server <= v1.2.2
CVE-2018-9207
PUBLISHED: 2018-11-19
Arbitrary file upload in jQuery Upload File <= 4.0.2
CVE-2018-15759
PUBLISHED: 2018-11-19
Pivotal Cloud Foundry On Demand Services SDK, versions prior to 0.24 contain an insecure method of verifying credentials. A remote unauthenticated malicious user may make many requests to the service broker with different credentials, allowing them to infer valid credentials and gain access to perfo...
CVE-2018-15761
PUBLISHED: 2018-11-19
Cloud Foundry UAA release, versions prior to v64.0, and UAA, versions prior to 4.23.0, contains a validation error which allows for privilege escalation. A remote authenticated user may modify the url and content of a consent page to gain a token with arbitrary scopes that escalates their privileges...