Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Partner Perspectives  Connecting marketers to our tech communities.
SPONSORED BY
6/15/2017
11:00 AM
Sara Boddy
Sara Boddy
Partner Perspectives
Connect Directly
Twitter
LinkedIn
RSS
50%
50%

Cyber Insurance: Read the Fine Print!

Applying for insurance is a grueling process involving detailed questionnaires and lengthy technical interviews that can still leave you without an adequate safety net.

Raymond Pompon also contributed to this article.

Those of us with experience in IT security know there are some risks we just can’t mitigate. In such cases, many of us seek out risk transference through cyber insurance. But, some of us had a rude awakening when we found out that the coverage we’ve spent tens of thousands (or even millions) of dollars a year on fails to honor our claim.

This is exactly what happened with Ameriforge Group, a victim of an email scam in which a company’s chief executive was impersonated. The losses to Ameriforge were worth nearly half a million dollars. But the insurance carrier claimed the company’s coverage was for forgery of financial instruments, not fraudulent emails that executives were tricked into following.

This story is not an aberration. For the past year, F5 lab researchers have heard many CISOs complain that cyber insurance isn’t to be trusted at face value. One prominent CISO, who chose to remain anonymous, flat out told us, "Cyber insurance is B.S.," adding, "No one will actually cover claims. It gives you a false sense of control."

Although every CISO might not believe the situation is quite that dire, the number of of corporate attorneys who understand the nuances of cyber insurance are few. Without qualified legal help, you can easily find yourself without a safety net when you need it most.

Coverage Gaps
What kind of coverage gaps are people seeing? One of the most obvious is the base deductible. Some policies vary the deductible amount based on the type of loss, and some losses aren’t covered unless they exceed $500,000. In other cases, organizations wrongly think their standard business loss insurance covers cyber loss. In a 2013 case, a hacked company was denied payment because its policy applied to property damage—and electronic data wasn’t considered "tangible property."

There are subtler forms of coverage gaps, as well. In the world of business loss and the law, there are different classes of damages, depending on when and how they occur. In a 2016 case, a restaurant chain’s cyber insurance covered direct damages of a data breach, but left the restaurant high and dry for millions of dollars in fees and assessments associated with fraudulent credit card chargebacks.

The savvy CISO should do a detailed impact analysis for all major threat scenarios before shopping for cyber insurance. The list of possible impacts can include:

  • Direct monetary losses from electronic theft, phishing, email scam, or other types of cybercrime.
  • Losses due to cyber extortion, such as DDoS blackmail or ransomware.
  • Losses related to mitigating and investigating an incident, including computer forensics and consultants.
  • Losses due to downtime, which includes customer revenue, worker productivity, and increased operational costs.
  • Loss or damage to data or software, including costs associated with replacing, patching, recreating, or restoring things to the way they were before the incident.
  • Expenses associated with remediation activities, such as new control purchases, application design enhancements, monitoring, supporting staff, etc.
  • Expenses associated with customer breach notification, including public relations, legal consultation, postage fees, and telephone support.
  • Expenses associated with customer compensation because of the incident, including credit monitoring, service level agreement penalties, refunds, and contractual violations.
  •  Expenses related to liability exposures due to the incident, such as investigator fees, legal defense costs, and civil court damage costs.
  • Expenses due to third-party liability exposures, including loss or corruption of third-party data or service.

Disqualifiers
Sometimes cyber insurance claims are denied because an organization disqualified itself. A hospital group’s claim for losses associated with a privacy breach was turned down because its systems were not properly patched. The hospital group had claimed on its application form to be performing many standard secure practices, but those practices had lapsed. This was sufficient reason for the insurer to deny payment.

Applying for insurance can sometimes be a grueling process involving detailed questionnaires and lengthy technical interviews. During this time, organizational responses must be complete and honest, otherwise the viability of the insurance contract could be annulled.

This is a significant risk in cyber insurance because many IT security practices are not 100% perfect, and occasionally there are operational lapses.  One cyber insurance company rejected a claim because a user fell for a phishing attack. The insurance company ruled that the access was "authorized," even though the victim was tricked into giving the authorization.

CISOs should know all the possible impacts and costs of a breach and match them to their cyber insurance policies. Having legal help from someone with deep expertise in this area is a prudent investment before purchasing. Whatever cyber insurance policies you purchase, make sure to read the fine print very carefully rather than assuming a policy provides the right coverage.

Get the latest application threat intelligence from F5 Labs.

 

Sara Boddy currently leads F5 Labs, F5 Networks' threat intelligence reporting division. She came to F5 from Demand Media where she was the Vice President of Information Security and Business Intelligence. Sara ran the security team at Demand Media for 6 years, covering all ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
mcavanaugh1
100%
0%
mcavanaugh1,
User Rank: Strategist
6/20/2017 | 1:12:18 PM
Cyber Insurance
While I understand the intent of the article, the majority of the information is only part of the picture. First, many of these suits and declinations of coverage were filed under insurance policies that were never intended to cover these exposures specifically Crime & Commercial General Liability insurance policies.  The expectation that a CGL policy designed to cover bodily injury and property damage should also cover these types of exposures is ridiculous. It would be similar to filing a claim for an auto accident under your homeowner's insurance policy.  

Second, the examples of social engineering, phishing and the lack of coverage should fall more on the insurance agent or broker that placed the coverage. While this coverage may not have been available in January of 2016 (Krebs Article), September of 2015 (BitPay), June of 2016 (PF Changs), and August of 2013 (Schnucks) they are currently available in the marketplace and have been for quite some time.  This coverage is readily available from several insurance companies on a cyber liability insurance policy for most industries although the insurance agent may have to request the coverage to specifically be added. The truth is that a correctly written cyber liability insurance policy can respond to everything that was mentioned in the 10 bullet points outlined in the article.  Also, many carriers are writing comprehensive policies that will cover everything with a minimum premium of $1,000 (less for some industries) with a deductible of $1,000 to start.  This can include the cyber-crime coverage needed in two of the examples (Krebs & BitPay) linked to in the article.  

I definitely agree that a company contemplating purchasing a policy should read the fine print; however, the first step should be finding an insurance agent or broker that understands the coverage. A cyber liability insurance policy should complement the risk management measures in place with the mindset of viewing the policy as a service. Many carriers will provide risk management services to a policyholder before and after an event with the goal of making their policyholder more secure.
Mobile Banking Malware Up 50% in First Half of 2019
Kelly Sheridan, Staff Editor, Dark Reading,  1/17/2020
Exploits Released for As-Yet Unpatched Critical Citrix Flaw
Jai Vijayan, Contributing Writer,  1/13/2020
Microsoft to Officially End Support for Windows 7, Server 2008
Kelly Sheridan, Staff Editor, Dark Reading,  1/13/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-7227
PUBLISHED: 2020-01-18
Westermo MRD-315 1.7.3 and 1.7.4 devices have an information disclosure vulnerability that allows an authenticated remote attacker to retrieve the source code of different functions of the web application via requests that lack certain mandatory parameters. This affects ifaces-diag.asp, system.asp, ...
CVE-2019-15625
PUBLISHED: 2020-01-18
A memory usage vulnerability exists in Trend Micro Password Manager 3.8 that could allow an attacker with access and permissions to the victim's memory processes to extract sensitive information.
CVE-2019-19696
PUBLISHED: 2020-01-18
A RootCA vulnerability found in Trend Micro Password Manager for Windows and macOS exists where the localhost.key of RootCA.crt might be improperly accessed by an unauthorized party and could be used to create malicious self-signed SSL certificates, allowing an attacker to misdirect a user to phishi...
CVE-2019-19697
PUBLISHED: 2020-01-18
An arbitrary code execution vulnerability exists in the Trend Micro Security 2019 (v15) consumer family of products which could allow an attacker to gain elevated privileges and tamper with protected services by disabling or otherwise preventing them to start. An attacker must already have administr...
CVE-2019-20357
PUBLISHED: 2020-01-18
A Persistent Arbitrary Code Execution vulnerability exists in the Trend Micro Security 2020 (v160 and 2019 (v15) consumer familiy of products which could potentially allow an attacker the ability to create a malicious program to escalate privileges and attain persistence on a vulnerable system.