Partner Perspectives  Connecting marketers to our tech communities.
SPONSORED BY
6/15/2017
11:00 AM
Sara Boddy
Sara Boddy
Partner Perspectives
Connect Directly
Twitter
LinkedIn
RSS
50%
50%

Cyber Insurance: Read the Fine Print!

Applying for insurance is a grueling process involving detailed questionnaires and lengthy technical interviews that can still leave you without an adequate safety net.

Raymond Pompon also contributed to this article.

Those of us with experience in IT security know there are some risks we just can’t mitigate. In such cases, many of us seek out risk transference through cyber insurance. But, some of us had a rude awakening when we found out that the coverage we’ve spent tens of thousands (or even millions) of dollars a year on fails to honor our claim.

This is exactly what happened with Ameriforge Group, a victim of an email scam in which a company’s chief executive was impersonated. The losses to Ameriforge were worth nearly half a million dollars. But the insurance carrier claimed the company’s coverage was for forgery of financial instruments, not fraudulent emails that executives were tricked into following.

This story is not an aberration. For the past year, F5 lab researchers have heard many CISOs complain that cyber insurance isn’t to be trusted at face value. One prominent CISO, who chose to remain anonymous, flat out told us, "Cyber insurance is B.S.," adding, "No one will actually cover claims. It gives you a false sense of control."

Although every CISO might not believe the situation is quite that dire, the number of of corporate attorneys who understand the nuances of cyber insurance are few. Without qualified legal help, you can easily find yourself without a safety net when you need it most.

Coverage Gaps
What kind of coverage gaps are people seeing? One of the most obvious is the base deductible. Some policies vary the deductible amount based on the type of loss, and some losses aren’t covered unless they exceed $500,000. In other cases, organizations wrongly think their standard business loss insurance covers cyber loss. In a 2013 case, a hacked company was denied payment because its policy applied to property damage—and electronic data wasn’t considered "tangible property."

There are subtler forms of coverage gaps, as well. In the world of business loss and the law, there are different classes of damages, depending on when and how they occur. In a 2016 case, a restaurant chain’s cyber insurance covered direct damages of a data breach, but left the restaurant high and dry for millions of dollars in fees and assessments associated with fraudulent credit card chargebacks.

The savvy CISO should do a detailed impact analysis for all major threat scenarios before shopping for cyber insurance. The list of possible impacts can include:

  • Direct monetary losses from electronic theft, phishing, email scam, or other types of cybercrime.
  • Losses due to cyber extortion, such as DDoS blackmail or ransomware.
  • Losses related to mitigating and investigating an incident, including computer forensics and consultants.
  • Losses due to downtime, which includes customer revenue, worker productivity, and increased operational costs.
  • Loss or damage to data or software, including costs associated with replacing, patching, recreating, or restoring things to the way they were before the incident.
  • Expenses associated with remediation activities, such as new control purchases, application design enhancements, monitoring, supporting staff, etc.
  • Expenses associated with customer breach notification, including public relations, legal consultation, postage fees, and telephone support.
  • Expenses associated with customer compensation because of the incident, including credit monitoring, service level agreement penalties, refunds, and contractual violations.
  •  Expenses related to liability exposures due to the incident, such as investigator fees, legal defense costs, and civil court damage costs.
  • Expenses due to third-party liability exposures, including loss or corruption of third-party data or service.

Disqualifiers
Sometimes cyber insurance claims are denied because an organization disqualified itself. A hospital group’s claim for losses associated with a privacy breach was turned down because its systems were not properly patched. The hospital group had claimed on its application form to be performing many standard secure practices, but those practices had lapsed. This was sufficient reason for the insurer to deny payment.

Applying for insurance can sometimes be a grueling process involving detailed questionnaires and lengthy technical interviews. During this time, organizational responses must be complete and honest, otherwise the viability of the insurance contract could be annulled.

This is a significant risk in cyber insurance because many IT security practices are not 100% perfect, and occasionally there are operational lapses.  One cyber insurance company rejected a claim because a user fell for a phishing attack. The insurance company ruled that the access was "authorized," even though the victim was tricked into giving the authorization.

CISOs should know all the possible impacts and costs of a breach and match them to their cyber insurance policies. Having legal help from someone with deep expertise in this area is a prudent investment before purchasing. Whatever cyber insurance policies you purchase, make sure to read the fine print very carefully rather than assuming a policy provides the right coverage.

Get the latest application threat intelligence from F5 Labs.

 

Sara Boddy currently leads F5 Labs, F5 Networks' threat intelligence reporting division. She came to F5 from Demand Media where she was the Vice President of Information Security and Business Intelligence. Sara ran the security team at Demand Media for 6 years, covering all ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
mcavanaugh1
100%
0%
mcavanaugh1,
User Rank: Strategist
6/20/2017 | 1:12:18 PM
Cyber Insurance
While I understand the intent of the article, the majority of the information is only part of the picture. First, many of these suits and declinations of coverage were filed under insurance policies that were never intended to cover these exposures specifically Crime & Commercial General Liability insurance policies.  The expectation that a CGL policy designed to cover bodily injury and property damage should also cover these types of exposures is ridiculous. It would be similar to filing a claim for an auto accident under your homeowner's insurance policy.  

Second, the examples of social engineering, phishing and the lack of coverage should fall more on the insurance agent or broker that placed the coverage. While this coverage may not have been available in January of 2016 (Krebs Article), September of 2015 (BitPay), June of 2016 (PF Changs), and August of 2013 (Schnucks) they are currently available in the marketplace and have been for quite some time.  This coverage is readily available from several insurance companies on a cyber liability insurance policy for most industries although the insurance agent may have to request the coverage to specifically be added. The truth is that a correctly written cyber liability insurance policy can respond to everything that was mentioned in the 10 bullet points outlined in the article.  Also, many carriers are writing comprehensive policies that will cover everything with a minimum premium of $1,000 (less for some industries) with a deductible of $1,000 to start.  This can include the cyber-crime coverage needed in two of the examples (Krebs & BitPay) linked to in the article.  

I definitely agree that a company contemplating purchasing a policy should read the fine print; however, the first step should be finding an insurance agent or broker that understands the coverage. A cyber liability insurance policy should complement the risk management measures in place with the mindset of viewing the policy as a service. Many carriers will provide risk management services to a policyholder before and after an event with the goal of making their policyholder more secure.
White House Cybersecurity Strategy at a Crossroads
Kelly Jackson Higgins, Executive Editor at Dark Reading,  7/17/2018
The Fundamental Flaw in Security Awareness Programs
Ira Winkler, CISSP, President, Secure Mentem,  7/19/2018
Number of Retailers Impacted by Breaches Doubles
Ericka Chickowski, Contributing Writer, Dark Reading,  7/19/2018
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
F5 makes apps go-faster, smarter, and safer. With solutions for the cloud and the data center, F5 technology provides unparalleled visibility and control, allowing customers to secure their users, applications, and data. For more information, visit www.f5.com.
Featured Writers
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-14492
PUBLISHED: 2018-07-21
Tenda AC7 through V15.03.06.44_CN, AC9 through V15.03.05.19(6318)_CN, and AC10 through V15.03.06.23_CN devices have a Stack-based Buffer Overflow via a long limitSpeed or limitSpeedup parameter to an unspecified /goform URI.
CVE-2018-3770
PUBLISHED: 2018-07-20
A path traversal exists in markdown-pdf version <9.0.0 that allows a user to insert a malicious html code that can result in reading the local files.
CVE-2018-3771
PUBLISHED: 2018-07-20
An XSS in statics-server <= 0.0.9 can be used via injected iframe in the filename when statics-server displays directory index in the browser.
CVE-2018-5065
PUBLISHED: 2018-07-20
Adobe Acrobat and Reader 2018.011.20040 and earlier, 2017.011.30080 and earlier, and 2015.006.30418 and earlier versions have a Use-after-free vulnerability. Successful exploitation could lead to arbitrary code execution in the context of the current user.
CVE-2018-5066
PUBLISHED: 2018-07-20
Adobe Acrobat and Reader 2018.011.20040 and earlier, 2017.011.30080 and earlier, and 2015.006.30418 and earlier versions have an Out-of-bounds read vulnerability. Successful exploitation could lead to information disclosure.