Cyber insurance is one of those checkbox items everyone makes sure they have. Occasionally you’ll read about a breach and see some figure and double check that your insurance policy will cover you. Simple.
Cyber insurance is anything but simple. In the world of insurance, even insurance companies get cyber insurance wrong. Here is what you need to know:
1. Cyber is special
Cyber insurance isn’t covered under your umbrella or general errors and omissions insurance. It is a specialty insurance product that — compared to other insurance products — is very new to the market. Cyber insurance is written on its own form and often varies greatly from insurance company to insurance company.
2. Read Your Policy
The art of the policy is in the details. And the details are so important that every information security professional should read their company’s policy. In fact, go request a copy and read it today. Why?
The insurance policy covers you under certain conditions (coming up in the next heading) and specifically won’t cover you for others. Are you looking for the data elements or exclusions that can cause you greater harm? I would argue that risk management frameworks, PMO and SDLC programs, and other security models should take cyber insurance into consideration. Let’s look at an example.
3. Exclusions, Exclusions
I’ve read many cyber policies. They’re all different. So my examples may be exactly what you find in your policies or completely different. This one was interesting:
Quick note: companies argue about what the words on the page mean all the time. Especially with cyber insurance. It’s easy for me to say you’re not covered, but a bunch of much smarter attorneys would actually figure out coverage. It’s highly possible phone number ends up being classified as something not private and coverage continues.
4. Understanding First Party and Third Party Risk
There is one more important element to your cyber insurance. First and Third Party Risks. First party risks are direct costs for loss or damages in a breach. In the Sony breach scenario, the hacker deleted and locked out a large number of users. The direct costs related to the breach are first party risks.
The interesting scenario is third party risks. In the more recent T-Mobile/Experian case (see my take on that breach here), Experian had a breach of T-Mobile data. Experian would need third party risk coverage to cover the breach of T-Mobile’s data.
Add one more layer of confusion to the mix. When two parties are involved, T-Mobile may be able to claim both first party and third party damages while Experian may be able to do the same.
As there are differences in coverage between first party and third party risks, you should understand what they are and incorporate them into your risk management and vendor management processes. You should also understand where your coverage may be used. Are you sending data to a third party? Are you receiving data from a third party? Are your employees bringing data with them? They all require different coverage requirements in your policy.
5. Getting You Back To Normal
Hopefully you’ve never had flooding to your home. I had a flood a few years ago. The insurance adjuster pointed out two parts of my coverage. Getting my basement back to livable condition and getting it back to normal. (Livable just means cleaned up, not actually fixed and finished.)
The same holds true for cyber policies. Almost every policy I’ve read states that they only cover costs related to the breach and specifically exclude costs for fixing your mistakes. Let’s take the Target breach as an example. Likely (I’ve never seen their policy), the insurance covered the removal of the malware from each of the point of sale systems. This is getting the basement back to livable condition.
They wouldn’t cover getting the point of sale systems secure so it didn’t happen again. And while I’ve seen people not fix their systems and get hacked again, for most of us we would plan on closing the holes and making ourselves more secure.
Your To Do
Try to get a copy of your own company’s cyber insurance policy. If nothing else, it will be a data point in how you manage risk on a day-to-day basis. If you don’t have access to your policy, get a copy of any company’s policy. The point being that you should understand what the words on the page say and think about how it changes how you manage security.
Finally, while it may seem like I’m saying you should change your security practices for insurance reasons, I’m only suggesting that you understand your risks and build mitigations into your environment. The objective is not to play games with your cyber coverage but to understand it.
I was awaken to these risks by a future guest on my podcast. Nick Merker will be featured next year on the podcast and is a security professional turned attorney. I’ve attended a presentation by Nick and his fellow attorneys at Ice Miller on this topic and it opened by eyes to the risks. What is written here today is the tip of the iceberg. I would recommend contacting Nick or any attorney with deep knowledge in this area to help you understand your specific policies and how they may actually cover you in a breach.