10 Things Cyber Insurance Won't Cover
Cyber insurance policies come with some important caveats to keep in mind.
April 14, 2016
![](https://eu-images.contentstack.com/v3/assets/blt6d90778a997de1cd/blte8b16edc952528ce/64f0dc9290b8a5a916e7f424/01-insurance.jpeg?width=700&auto=webp&quality=80&disable=upscale)
The cyber insurance market is set to triple in the next several years, with experts from PwC projecting it to reach $7.5 billion by 2020. As more enterprises buy into plans to help mitigate some of the risk from catastrophic data breaches, they need to be mindful that cyber insurance isn't a panacea for IT risk management. It might be useful in helping to pay for the direct losses related to large-scale breaches of customer data--things like breach notification, forensics and even regulatory fines in some cases. However, there are plenty of categories of loss that these policies rarely cover, depending on how they're written. Experts warn enterprise risk managers to work closely with a trusted broker to ensure they get the most coverage possible, and enter these policies with their eyes wide open.
Most cyber insurance buyers recognize that coverage is only as good as the payout limit written into the policy. But many organizations don't realize that there are often sublimits hidden in policies that could really sting when it comes time to make a claim. For example, a large policy limit may not be very helpful if the sublimits for categories like forensics investigations or breach notification costs are restrictively low.
Cyber insurance at the moment is mostly geared around the risks of losing large customer databases. The insurance industry currently has very little expertise in properly sizing or underwriting the devaluing of IP or trade secrets at the hands of data thieves. As a result, most policies do not cover IP loss.
While there have been studies that link breaches to brand damage, there's not enough concrete evidence or financial modeling to create an insurance product that will cover this kind of liability in the event of a cyber event. This is a risk that CISOs need to mitigate through effective defenses and preparation, not insurance.
Whether it is due to a DDoS that kept online retail customers from their shopping carts, widespread outages that kept workers from productivity or a ransomware attack against IP that may have delayed important business projects, business interruptions caused by cyber attacks are rarely covered by cyber insurance policies.
Even if a company can directly tie a breach or cybersecurity incident to lost revenue, the chances of getting that recouped by a cyber insurance policy are slim to none. These types of policies rarely cover lost revenue due to breaches or cyber attacks.
Many cyber insurance policies include exclusion language for attacks that occur as a result of poor security practices. Often policies will be invalidated if companies are out of compliance with certain regulatory standards like PCI DSS or minimum security standards set by the insurance company itself.
Not only do most cyber insurance policies not cover any attacks deemed a part of a terrorism attack, but many exclude any kind of attack at the hands of a nation-state actor. Enterprises at risk of being attacked by a nation-state should look carefully for these kind of exclusions in their policy.
While forensics is typically a bread-and-butter cyber insurance coverage area, remediating IT assets with improved security measures is rarely covered under most policies.
Physical damage caused by cyber attacks--such as what could occur in the event of a large attack against SCADA controllers and critical infrastructure--are not going to be found in a cyber liability policy. These risks need to be covered in other insurance policies.
The cyber insurance market is set to triple in the next several years, with experts from PwC projecting it to reach $7.5 billion by 2020. As more enterprises buy into plans to help mitigate some of the risk from catastrophic data breaches, they need to be mindful that cyber insurance isn't a panacea for IT risk management. It might be useful in helping to pay for the direct losses related to large-scale breaches of customer data--things like breach notification, forensics and even regulatory fines in some cases. However, there are plenty of categories of loss that these policies rarely cover, depending on how they're written. Experts warn enterprise risk managers to work closely with a trusted broker to ensure they get the most coverage possible, and enter these policies with their eyes wide open.
About the Author(s)
You May Also Like
CISO Perspectives: How to make AI an Accelerator, Not a Blocker
August 20, 2024Securing Your Cloud Assets
August 27, 2024