Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

7/12/2019
01:00 PM
Connect Directly
LinkedIn
RSS
E-Mail vvv
50%
50%

A Lawyers Guide to Cyber Insurance: 4 Basic Tips

The time to read the fine print in your cybersecurity insurance policy is before you sign on the dotted line.

These days, it seems that everyone has heard a cyber insurance horror story: a catastrophic cyber event followed by a swift denial of cyber insurance coverage. At a time when all companies are beginning to think in terms of cyber resilience, cyber insurance is an important part of any company's cyber preparedness. As outside counsel, I've spent significant time reviewing cyber policies. Below are my top tips to consider when looking at your cyber insurance coverage. 

Tip 1. If you don't know whether you have cyber insurance, you likely do not have it.
Why? Because cybersecurity events are a common exclusion across general liability policies and require their own standalone policy. Worse, not all policies are created equal and the cyber insurance industry is like the Wild West: Because of its relative newness, policies are not standard. So, while your directors and officers policy (D&O) may look basically the same as the insurance company's down the street, that is likely not the same for cyber coverage. Thus, it is important to carefully review your cyber insurance options and not just lock in whatever an insurance broker is selling as premium coverage.

Tip 2. Read the actual policy, not just the summary of coverage.
Cyber insurance coverage can diverge drastically from insurance provider to insurance provider, so it is incredibly important to review the actual insurance policy. Some of you may be rolling your eyes at this basic suggestion but you'd be surprised how often I've seen a client provided with a summary of coverage without a copy of the actual underlying policy and think that may be all that they need. Why does this matter? Because inevitably there will be terms that govern the policy that are legally defined terms in the policy itself. So, if a dispute arises as to whether an event is covered in an insurance policy, a court is going to look at the four corners of the actual insurance policy and will not likely consider evidence of what you were told at the time you bought the policy. An insurance policy is a contract between you and the insurance company. And, just like a breach of contract action, if there is a dispute later, a court will look to the written agreement between the parties. Therefore, the time to read the policy is now — not during an event.

Often, I see a summary of coverage that lists a "social engineering exclusion." These social engineering exclusions can encompass phishing and sometimes even ransomware. But if you only have the summary of coverage without the related definitions, you won't know what may or may not be covered.

It's also important that your CISO, or someone in your organization with cybersecurity intelligence, reviews the cyber insurance policy, which typically incudes technical language and definitions. For example, I recently read a policy that only provided coverage for a claim made by someone for incidents that rose to the level of "technology wrongful act" and "privacy and security wrongful act." But when you read the policy, technology wrongful act covered only the hosting of data. The coverage for "privacy and security wrongful act" covered what the policy described as "the failure to prevent a breach that resulted in the inability of the user to gain access to a network, malicious deletion of data on the network, and transmission of malware to third parties." Notably missing from this definition was the concept of a financial loss related to social engineering, phishing, ransomware, or wire transfer fraud.

Tip 3. Exclusions can be brutal.
Cyber-risk translates into big dollar risk and insurance companies recognize this. Phishing and ransomware can both be common exclusions along with business email compromise events. Wire transfer fraud is often not covered. Because of this, it is important to look at your policy to determine what it really and truly covers. I once had a CEO ask if their policy only covered someone breaking in and stealing a server rack. Unfortunately, in that instance, the answer was "basically."

I have also started to see policies that contain a summary of coverage page that lists out a set sum for coverages (for instance, a chart that shows $5 million worth of first-party coverage to protect the company being insured). Then, hidden deep in the policy is the actual sublimits and exclusions. In one egregious review, the social engineering sublimit of $100,000 was buried on page 54 of a 66-page PDF. It also contained a $50,000 "retention" or, essentially, deductible, to be paid out of pocket by the company before coverage is triggered. If the client had only the summary coverage provided by the broker, they would have thought they had $5 million in cyber coverage because the exclusion was not listed front and center but was instead hidden deep in the PDF.

Knowing that exclusions exist as a common part of cyber insurance, it is important to ask your broker for several cyber insurance policies to compare at the time of binding coverage. Look at your business operations and determine what coverage you need. Is your organization a software company? Managed service provider? Brick and mortar with a lot of employees? A public utility or a financial institution? Hospital? Tailor your cyber insurance to your business and be aware that the typical broker may be fantastic at selling D&O coverage but is not a cyber insurance guru. No matter your industry or business model, having a cybersecurity lawyer help navigate the insurance coverage matrix and negotiate coverage.

4. Negotiate before, not after a breach
You can always try to negotiate better coverage. At minimum, ask for lower retentions and higher sublimits.

If you have a favorite forensic team, ask that members be included as your chosen provider in the event of a breach. Often, insurance companies provide "panel" counsel and "panel" forensics teams. I have seen fantastic firms listed as panel counsel in the marketing materials provided to a client. Then, when the breach hits, they are assigned counsel not from the elite Manhattan firm but from somewhere else.

You can also ask for your chosen team to be included when you "bind" coverage. As part of the insurance application process, make a specific request for the people you know and trust. Then, when the worst hits, you know you have your A team at your back versus a crew arriving from out of your market.

Related Content:

 

Black Hat USA returns to Las Vegas with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the conference and to register.

Beth Burgin Waller is a lawyer who knows how to navigate between the server room and the board room. As chair of the cybersecurity & data privacy practice at Woods Rogers, she advises clients on cybersecurity and on data privacy concerns. In this capacity, she ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
REISEN1955
50%
50%
REISEN1955,
User Rank: Ninja
7/16/2019 | 8:32:05 AM
Re: Monetary protection only
Point taken and it would be wise for insurance companies to provide these services and also make sure their suggestions ARE being carriesd out !!!   Periodic review would be mandatory.  
mcavanaugh1
50%
50%
mcavanaugh1,
User Rank: Strategist
7/16/2019 | 8:12:38 AM
Re: Monetary protection only
No, not all Cyber Insurance policies are limited to monetary protection.  Many carriers providing standalone Cyber Insurance policies provide Pre-breach Risk Management services including policies & procedure templates, pre-beach consulting, and training to ultimately provide education to companies.  Some will also provide active monitoring, vulnerability scans (limited in nature), phishing training for employees, table top exercises, and hardware/software to help protect the insured company's network.  These can all be provided to an insured company for no additional cost.

The marketplace is adapting to include post-breach remediation as well.  Some carriers will extend consulting services to provide recommendations and others will pay to remediate any issues to avoid breaches going forward.  This can include replacing hardware, upgrading systems or simply rolling out patches depending on the consultant's findings.

There is a lot of misinformation out there lately with Insurance companies denying coverage under a Cyber Insurance policy.  The most recent is the War Exclusion issues.  In the case of Mondelez the articles/stories rarely explain that Mondelez did not have a Cyber Insurance policy but rather they were trying to file a Cyber claim under a Property policy not designed to cover that exposure. 

Your best bet to get covered is to work with an agent/broker that knows the coverage and works with Insurance Companies that have been in the marketplace for long enough that they have handled many many claims and offer a comprehensive policy with risk management services. Premiums for these policies can be as low as a $500-$700 inclusive of the coverage & services.
REISEN1955
50%
50%
REISEN1955,
User Rank: Ninja
7/15/2019 | 9:49:29 AM
Monetary protection only
Does not PREVENT or REMEDIATE a breach!!!   This is for the accounting department - gee, 14 million records stolen and personal data exposed BUT the firm can survive the financial loss!!!  WE HAVE INSURANCE.  Oh, that is a signal for the Lawyers to file lawsuits - why? THE CASH IS THERE.   But it does nothing to prevent or take action during or after a breach.  Does it??? 
The Problem with Proprietary Testing: NSS Labs vs. CrowdStrike
Brian Monkman, Executive Director at NetSecOPEN,  7/19/2019
How Attackers Infiltrate the Supply Chain & What to Do About It
Shay Nahari, Head of Red-Team Services at CyberArk,  7/16/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-13096
PUBLISHED: 2019-07-22
TronLink Wallet 2.2.0 stores user wallet keystore in plaintext and places them in insecure storage. An attacker can read and reuse the user keystore of a valid user via /data/data/com.tronlink.wallet/shared_prefs/<wallet-name>.xml to gain unauthorized access.
CVE-2019-13097
PUBLISHED: 2019-07-22
The application API of Cat Runner Decorate Home version 2.8.0 for Android does not sufficiently verify inputs that are assumed to be immutable but are actually externally controllable. Attackers can manipulate users' score parameters exchanged between client and server.
CVE-2019-10102
PUBLISHED: 2019-07-22
OFFIS.de DCMTK 3.6.3 and below is affected by: Buffer Overflow. The impact is: Possible code execution and confirmed Denial of Service. The component is: DcmRLEDecoder::decompress() (file dcrledec.h, line 122). The attack vector is: Many scenarios of DICOM file processing (e.g. DICOM to image conver...
CVE-2019-12326
PUBLISHED: 2019-07-22
Missing file and path validation in the ringtone upload function of the Akuvox R50P VoIP phone 50.0.6.156 allows an attacker to upload a manipulated ringtone file, with an executable payload (shell commands within the file) and trigger code execution.
CVE-2019-13100
PUBLISHED: 2019-07-22
The Send Anywhere application 9.4.18 for Android stores confidential information insecurely on the system (i.e., in cleartext), which allows a non-root user to find out the username/password of a valid user via /data/data/com.estmob.android.sendanywhere/shared_prefs/sendanywhere_device.xml.