The Truth About Cybersecurity Insurance
As a chief financial officer, why would a company invest $3 million to hire external experts to fix known cybersecurity issues when the company has a $10 million cybersecurity insurance policy? Surely it would be better to redirect that $3 million to help grow revenue than to sink it into a cybersecurity remediation project that delivers no revenue recognition and no apparent ROI. After all, under its insurance policy the company will receive $10 million to fix any cybersecurity issues if a breach occurs, right?
This type of thinking is becoming commonplace about cybersecurity insurance. But enterprises could actually be ripping off insurance companies as they try to shift cybersecurity costs onto insurance companies. As a result, savvier insurers are more likely to deny breach claims.
Being breached is not a world-class customer experience. It clearly shows an organization did not consider cybersecurity a top priority for protecting customer information, which is a company asset. Companies that shun proactive measures to protect customer data are typically obsessive about running a metrics-driven organization and ruled by bean counters, which usually leads to a security breach as evidenced recently with countless companies such as Target, Home Depot, and The Trump Hotel Collection.
If you think your company is covered for a cybersecurity incident under a commercial insurance policy, check with your agent. It is highly unlikely your company is covered if your organization does not have a dedicated cybersecurity insurance policy and a security breach should occur.
Often, companies do not accurately report their security posture in the insurance application process. Typically the CFO, CIO, or COO completes a cybersecurity insurance policy, checking off "yes" on all boxes for every cybersecurity question for protection safeguards.
CFO's that take that approach towards cyber insurance will be dumbfounded when they submit a claim after an incident happens only to receive a denial, said Christine Marciano, a data privacy and cyber risk insurance specialist at Cyber Data-Risk Managers,. It is common for a company that does have a claim to dispute an insurance company’s decision not to deliver a payout. Marciano added: "Cyber insurance cannot replace security as it's meant to complement security when it fails. Cyber insurance underwriters expect a company to be practicing good cyber hygiene and are not interested in insuring companies that don't take security seriously, as a security incident is guaranteed to happen in such cases."
Cybersecurity insurance are not straightforward. Here is a sampling of policies:
- Cyber Risk Insurance that comes in two forms (third-party liability and first-party liability) that covers ancillary costs such as attorney, data loss reconstruction costs, crisis management, customer notification, public relations, etc.
- Data Breach Insurance for business interruption, paying penalties, security liability, forensics, damages, etc.
- Data Breach Contractual Program for multi-tenant data centers and cloud providers that puts insurance coverage limits for each hosted customer such as $25,000, $50,000, and $100,000 payout limitations.
When a cybersecurity breach occurs, a company is in for a shocker if they did not follow the provisions of the cybersecurity insurance policy said Guy Fogel, agent for Argo Group. Case in point, CNA Financial is seeking a judicial ruling that it is not obligated to pay a $4.1 million settlement for a hospital system's cyber policy because it failed to meet the “minimum required practices” it said it was following in its insurance application. In another case, Transportation Insurance issued a policy in 2011 to Atlanta-based real estate Metro Brokers for the online bank theft of $188,000 through client escrow accounts. While Metro disputed the denied claim, a US District Court in Atlanta agreed with Transportation Insurance to deny the claim and dismiss the case.
In another case, former IBM employees' personal data was lost when tapes fell out of a truck on the highway in New York. The Connecticut Supreme Court ruled that Scottsdale Insurance was not obligated to provide an insurance payout because this event was not covered under Umbrella & General Liability insurance3. More companies will see more denied claims because of what is on the insurance application, said Fogel. The actual cybersecurity controls in place at the time of the breach will dictate the claim outcome. False statements on the application can void the entire policy should a claim arise and then they're back to the roundtable with no coverage, and no security, added Marciano.
About the Author:
Todd Bell is an international cybersecurity & technology executive that has served as a CISO, CIO, Board of Advisors, and Board of Directors for the Fortune 500 to small companies. See his LinkedIn profile.