Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


01:00 PM
Connect Directly
E-Mail vvv

A Lawyer’s Guide to Cyber Insurance: 4 Basic Tips

The time to read the fine print in your cybersecurity insurance policy is before you sign on the dotted line.

These days, it seems that everyone has heard a cyber insurance horror story: a catastrophic cyber event followed by a swift denial of cyber insurance coverage. At a time when all companies are beginning to think in terms of cyber resilience, cyber insurance is an important part of any company's cyber preparedness. As outside counsel, I've spent significant time reviewing cyber policies. Below are my top tips to consider when looking at your cyber insurance coverage. 

Tip 1. If you don't know whether you have cyber insurance, you likely do not have it.
Why? Because cybersecurity events are a common exclusion across general liability policies and require their own standalone policy. Worse, not all policies are created equal and the cyber insurance industry is like the Wild West: Because of its relative newness, policies are not standard. So, while your directors and officers policy (D&O) may look basically the same as the insurance company's down the street, that is likely not the same for cyber coverage. Thus, it is important to carefully review your cyber insurance options and not just lock in whatever an insurance broker is selling as premium coverage.

Tip 2. Read the actual policy, not just the summary of coverage.
Cyber insurance coverage can diverge drastically from insurance provider to insurance provider, so it is incredibly important to review the actual insurance policy. Some of you may be rolling your eyes at this basic suggestion but you'd be surprised how often I've seen a client provided with a summary of coverage without a copy of the actual underlying policy and think that may be all that they need. Why does this matter? Because inevitably there will be terms that govern the policy that are legally defined terms in the policy itself. So, if a dispute arises as to whether an event is covered in an insurance policy, a court is going to look at the four corners of the actual insurance policy and will not likely consider evidence of what you were told at the time you bought the policy. An insurance policy is a contract between you and the insurance company. And, just like a breach of contract action, if there is a dispute later, a court will look to the written agreement between the parties. Therefore, the time to read the policy is now — not during an event.

Often, I see a summary of coverage that lists a "social engineering exclusion." These social engineering exclusions can encompass phishing and sometimes even ransomware. But if you only have the summary of coverage without the related definitions, you won't know what may or may not be covered.

It's also important that your CISO, or someone in your organization with cybersecurity intelligence, reviews the cyber insurance policy, which typically incudes technical language and definitions. For example, I recently read a policy that only provided coverage for a claim made by someone for incidents that rose to the level of "technology wrongful act" and "privacy and security wrongful act." But when you read the policy, technology wrongful act covered only the hosting of data. The coverage for "privacy and security wrongful act" covered what the policy described as "the failure to prevent a breach that resulted in the inability of the user to gain access to a network, malicious deletion of data on the network, and transmission of malware to third parties." Notably missing from this definition was the concept of a financial loss related to social engineering, phishing, ransomware, or wire transfer fraud.

Tip 3. Exclusions can be brutal.
Cyber-risk translates into big dollar risk and insurance companies recognize this. Phishing and ransomware can both be common exclusions along with business email compromise events. Wire transfer fraud is often not covered. Because of this, it is important to look at your policy to determine what it really and truly covers. I once had a CEO ask if their policy only covered someone breaking in and stealing a server rack. Unfortunately, in that instance, the answer was "basically."

I have also started to see policies that contain a summary of coverage page that lists out a set sum for coverages (for instance, a chart that shows $5 million worth of first-party coverage to protect the company being insured). Then, hidden deep in the policy is the actual sublimits and exclusions. In one egregious review, the social engineering sublimit of $100,000 was buried on page 54 of a 66-page PDF. It also contained a $50,000 "retention" or, essentially, deductible, to be paid out of pocket by the company before coverage is triggered. If the client had only the summary coverage provided by the broker, they would have thought they had $5 million in cyber coverage because the exclusion was not listed front and center but was instead hidden deep in the PDF.

Knowing that exclusions exist as a common part of cyber insurance, it is important to ask your broker for several cyber insurance policies to compare at the time of binding coverage. Look at your business operations and determine what coverage you need. Is your organization a software company? Managed service provider? Brick and mortar with a lot of employees? A public utility or a financial institution? Hospital? Tailor your cyber insurance to your business and be aware that the typical broker may be fantastic at selling D&O coverage but is not a cyber insurance guru. No matter your industry or business model, having a cybersecurity lawyer help navigate the insurance coverage matrix and negotiate coverage.

4. Negotiate before, not after a breach
You can always try to negotiate better coverage. At minimum, ask for lower retentions and higher sublimits.

If you have a favorite forensic team, ask that members be included as your chosen provider in the event of a breach. Often, insurance companies provide "panel" counsel and "panel" forensics teams. I have seen fantastic firms listed as panel counsel in the marketing materials provided to a client. Then, when the breach hits, they are assigned counsel not from the elite Manhattan firm but from somewhere else.

You can also ask for your chosen team to be included when you "bind" coverage. As part of the insurance application process, make a specific request for the people you know and trust. Then, when the worst hits, you know you have your A team at your back versus a crew arriving from out of your market.

Related Content:


Black Hat USA returns to Las Vegas with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the conference and to register.

Beth Burgin Waller is a lawyer who knows how to navigate between the server room and the board room. As chair of the cybersecurity & data privacy practice at Woods Rogers, she advises clients on cybersecurity and on data privacy concerns. In this capacity, she ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Ninja
7/16/2019 | 8:32:05 AM
Re: Monetary protection only
Point taken and it would be wise for insurance companies to provide these services and also make sure their suggestions ARE being carriesd out !!!   Periodic review would be mandatory.  
User Rank: Moderator
7/16/2019 | 8:12:38 AM
Re: Monetary protection only
No, not all Cyber Insurance policies are limited to monetary protection.  Many carriers providing standalone Cyber Insurance policies provide Pre-breach Risk Management services including policies & procedure templates, pre-beach consulting, and training to ultimately provide education to companies.  Some will also provide active monitoring, vulnerability scans (limited in nature), phishing training for employees, table top exercises, and hardware/software to help protect the insured company's network.  These can all be provided to an insured company for no additional cost.

The marketplace is adapting to include post-breach remediation as well.  Some carriers will extend consulting services to provide recommendations and others will pay to remediate any issues to avoid breaches going forward.  This can include replacing hardware, upgrading systems or simply rolling out patches depending on the consultant's findings.

There is a lot of misinformation out there lately with Insurance companies denying coverage under a Cyber Insurance policy.  The most recent is the War Exclusion issues.  In the case of Mondelez the articles/stories rarely explain that Mondelez did not have a Cyber Insurance policy but rather they were trying to file a Cyber claim under a Property policy not designed to cover that exposure. 

Your best bet to get covered is to work with an agent/broker that knows the coverage and works with Insurance Companies that have been in the marketplace for long enough that they have handled many many claims and offer a comprehensive policy with risk management services. Premiums for these policies can be as low as a $500-$700 inclusive of the coverage & services.
User Rank: Ninja
7/15/2019 | 9:49:29 AM
Monetary protection only
Does not PREVENT or REMEDIATE a breach!!!   This is for the accounting department - gee, 14 million records stolen and personal data exposed BUT the firm can survive the financial loss!!!  WE HAVE INSURANCE.  Oh, that is a signal for the Lawyers to file lawsuits - why? THE CASH IS THERE.   But it does nothing to prevent or take action during or after a breach.  Does it??? 
Inside the Ransomware Campaigns Targeting Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-04-18
This affects all versions of package killing. If attacker-controlled user input is given, it is possible for an attacker to execute arbitrary commands. This is due to use of the child_process exec function without input sanitization.
PUBLISHED: 2021-04-18
This affects all versions of package ps-visitor. If attacker-controlled user input is given to the kill function, it is possible for an attacker to execute arbitrary commands. This is due to use of the child_process exec function without input sanitization.
PUBLISHED: 2021-04-18
This affects all versions of package psnode. If attacker-controlled user input is given to the kill function, it is possible for an attacker to execute arbitrary commands. This is due to use of the child_process exec function without input sanitization.
PUBLISHED: 2021-04-18
This affects all versions of package ffmpegdotjs. If attacker-controlled user input is given to the trimvideo function, it is possible for an attacker to execute arbitrary commands. This is due to use of the child_process exec function without input sanitization.
PUBLISHED: 2021-04-18
This affects all versions of package onion-oled-js. If attacker-controlled user input is given to the scroll function, it is possible for an attacker to execute arbitrary commands. This is due to use of the child_process exec function without input sanitization.