Cookie-Einstellungen
schließen

You Have a Cyber Insurance Policy – But Do You Have Coverage?

Apptega
February 14, 2024
 

Introduction

Key Takeaways

The inevitable happened. Despite all your precautions and safeguards, your business experienced a cyberattack. Maybe it was a ransomware incident with millions in damage or a smaller breach with less impact. Either way, it’s going to cost you dollars and downtime. Luckily, you thought ahead and purchased cyber insurance, so your business is covered.

Right?  

Not so fast.  

Having insurance and being covered for an incident are two vastly different things. Consider a health insurance policy that doesn’t cover certain procedures or medications. Or homeowners insurance that excludes flood damage or rodents in the attic. (“What do you mean a raccoon exclusion?”)  

Cyber insurance is no different. Having a policy in place doesn’t guarantee a payout. In fact, around 25% to 30% of cyber insurance claims are rejected, according to Foresite Cybersecurity.

This is often a result of misconceptions around the actions organizations must take to comply with their cyber insurance policies as well as a lack of understanding of the policies themselves.  

From exclusions to sub-limits, there are many hidden “gotchas” buried within your cyber insurance policy. It’s important to be aware of these pitfalls and how to avoid them. Understanding your coverage and having the right protections in place can spell the difference between a million-dollar payout and a business-ending event.

In a recent conversation with Apptega, Tracy Fox, National Channel Sales Director at Foresite, provided tips for securing cyber insurance, ensuring coverage when you need it, and maintaining continuous compliance.  

We’ll get to those shortly, but first …  

A quick history of cyber insurance

Cyber liability insurance helps protect organizations from financial risk after an incident. When done properly and in alignment with a thorough risk assessment and compliance program, cyber insurance can help mitigate the damage caused by threats to security, privacy, service, and operations.  

Unfortunately, this type of coverage doesn’t come easy. An expanding list of requirements and exclusions makes securing cyber insurance and associated payouts more difficult than ever.  

“Another trend we’re seeing is, if you’re going for say, $5 million or $10 million in coverage, you’re going to end up with multiple insurers,” Fox said. “None of them want to be left holding the bag for any one major incident. They’re trying to spread around the risk a little more.”  

But it hasn’t always been this way.  

A decade ago, cyber insurance was comparatively much easier to obtain and involved little underwriting. Of course, adoption was much lower back then, as was overall awareness and risk. But within the last five years, the proliferation of ransomware attacks and emerging cybercrime related to pandemic-induced remote work has led to a surge in claims.  

Insurance carriers started raising the cost of premiums and their standards for coverage. As a result, the U.S. cyber insurance market saw 50% year-over-year growth in direct premiums written (DPW) in 2022 as well as significant loss ratio improvement (i.e., increases in premiums earned vs. claims paid), according to a recent AM Best analysis. Today cyber insurance is one of the fastest-growing segments in property and casualty (P&C) insurance.

“So, if you’re getting a policy, expect to pay more, expect your costs to go up, and expect a lot more of the gotchas to be written into those policies to protect the insurer,” said Fox.

What a difference 10 years has made for cyber insurance.

How to protect your business and ensure coverage

In 2023, the average cost of a data breach in the U.S. was $9.48 million — a rounding error for some companies, an extinction event for others. Without a massive insurance payout, your business may not survive the fallout. That’s why it’s so important to make sure you have the right coverage in place and are doing everything in your power to meet insurance requirements.  

Here are some helpful tips from Fox to help you succeed.

1. Proactively Align with a Compliance Framework

Meeting the requirements for cyber insurance coverage is all about minimizing risk. The easiest way to do that is by aligning to a recognized cybersecurity best practice or compliance framework, which can help you identify and patch up any gaps in your security posture.

Most attacks aren’t targeted, with an estimated 80% occurring because of poor information hygiene. Attackers are just buying ransomware and email lists, casting a wide net of malicious links to see what they can catch. If you’re following a framework like ISO 27001, which requires alignment with established data security best practices for an information security management system (ISMS), you’re much less likely to become a victim. And if you do, you’ll be better positioned to receive a payout.

There are no guarantees when it comes to cybersecurity, but that doesn’t mean you should sit back and wait for an incident to happen. That’s why some states have instituted “safe harbor” for organizations that proactively align to recognized frameworks.  

Safe harbor is an incentive to take proper precautions, shielding your organization from regulatory fines or even legal judgments if you can show proactive alignment. If you’re in a state that doesn’t have safe harbor, proactive alignment to a recognized framework is still your best protection against potential lawsuits, regulators, and insurance coverage issues.

There are several frameworks to choose from, and deciding can be difficult if you don’t know what to look for. Assuming there are no industry-specific requirements — such as the Health Insurance Portability and Accountability Act (HIPAA) or Cybersecurity Maturity Model Certification (CMMC) — Fox recommends starting with the National Institute of Standard and Technology Cyber Security Framework (NIST CSF).

Fox explains why NIST CSF is a good starter framework.

2. Ensure Proper Protections  

How secure is your organization? What are your security measures? When applying for cyber insurance, carriers want to know what kind of controls you have in place. While these can differ for each organization and insurer, there are some frequent questions you may need to answer to ensure you’re following best practices:  

  • Do you have multi-factor authentication (MFA)?
  • Do you have backups? Can they be restored? How quickly?
  • Are your systems encrypted?  
  • How much downtime is expected? Would you go down for weeks or months, resulting in a larger claim?
  • Is your staff trained on basic information security best practices?
  • How are you monitoring for threats?
  • What kind of protection do you have on workstations? If one gets infected, will it spread through the organization like wildfire?

“Those are the things they’re going to ask before they determine whether to give you coverage,” Fox said. “But what I ask is, what recognized cyber framework are you aligned to? Because if you want to support what you’ve done as reasonable, it typically goes beyond those questions on the application.”

3. Don’t Stretch the Truth

Organizations don’t always realize how seriously insurers take the cyber insurance application questionnaire. It’s not like taking a Buzzfeed poll or filling out your dating profile. Millions of dollars are on the line, so you better get it right. Your answers matter, and insurance carriers are going to hold you to them — to a T.  

If you say you have a protection in place, you better mean it. Don’t stretch the truth or overstate your status. You may think you have protections when you don’t, so you need to confirm what you’re reporting is accurate. That can be difficult to do if you don’t know what’s happening day in and day out, especially for small businesses without a head of IT or another responsible stakeholder. So, how do you ensure your attestations are correct?

Fox suggests having a third party validate the information for you — one who specializes in these assessments. Because if you don’t know the standard of an auditor, you could answer something incorrectly, which can get you into trouble. Let’s look at a real-life example in the following clip.

Claim loopholes, such as misrepresenting your MFA status on the insurance application (as this example explains), can mean you aren’t covered.

4. Know Your Sub-Limits and Deductibles

Two of the biggest gotchas in your cyber insurance policy are sub-limits and deductibles. Sub-limits are the maximum payments an insurance carrier will provide for a specific type of incident. Your deductible is the amount you must pay before your insurance kicks in for a covered loss.

You can align with a recognized framework, ensure proper protections, and fill out your application to perfection. But if you haven’t reached your deductible, or your sub-limit doesn’t cover the entire incident, it won’t matter. You’ll still end up paying for the incident, despite your preparation.  

That’s why you should know what you’re signing up for when accepting your policy. You may not have the freedom to change your sub-limits or deductible, but at least you’ll know what to expect if an incident occurs. The last thing you want is to be surprised by or unprepared for any uncovered costs.

Even with coverage, if you haven’t met your deductible or go over the sub-limit, you won’t be fully protected.

5. Show Your Work Through Continuous Compliance

P&C insurers are moving toward a continuous validation model. Carriers are no longer taking a set-it-and-forget-it approach, instead employing real-time monitoring to track policyholder behavior.  

In the world of auto insurance, many carriers are using telematics data to track driver behaviors such as speeding or hard braking, offering “safe driver” discounts to policyholders who avoid them.

Cyber insurance is heading in a similar direction, with a focus on continuous compliance. For example, the U.S. Department of Health and Human Services (HHS) — which is responsible for enforcing HIPAA — instituted a 12-month lookback period to ensure certain cybersecurity practices have been implemented.

In case of an incident or a proactive audit, continuous compliance is how you defend what you’re doing. When you file a claim, you don’t want it to look like you threw something together last minute. (“Oh, this old thing? Just something I had lying around the house.”)  

You want to show your work to prove you’re meeting compliance requirements and monitoring changes over time.

Continuous compliance is the key to defending a claim.

6. Invest in a Compliance Program

Having cyber insurance isn’t enough to protect your organization — it should instead be viewed as a last line of defense. You need to align the actions your policy requires to a broader compliance program, pulling in your assessments, frameworks, risk management, and more.  

Continued compliance is an ongoing investment, but one that yields significant — if hard to narrowly quantify — returns over time.

It’s when you start to factor in the potential costs of an incident with more tangible considerations like reduced premiums, increased investor confidence, and the ability to win more competitive deals due to a better security posture (how many times has your sales team demanded to see an updated SOC 2?), that the full value of compliance becomes clear.

The business case for a compliance program, comparing potential incident costs to calculate ROI.

7. Follow Regulations

When aligning cyber insurance with a broader compliance program, keep in mind:

Personally Identifiable Information (PII)

PII is any representation of information from which an individual’s identity can be reasonably inferred. One of the most prevalent examples is website data collected from visitors for marketing purposes.  

The protection of this data is policed by the Federal Trade Commission (FTC), which can audit any business and levy fines for a lack of “reasonable” protections, even if a data breach didn’t occur. Even worse, these fines and penalties are not typically covered by your cyber insurance policy, so it’s especially important to ensure protection.

“If you don’t need the data, don’t collect it,” Fox suggested. “Because if you collect it, there’s an expectation that you’re also going to protect it.”

Protecting PII can help you stay ahead of FTC audits and avoid fines.

State Privacy Laws

Every U.S. state has a data privacy requirement, but these rules can differ by state. Some have highly prescriptive requirements that align to dominant privacy regimes like General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA), but many go back to reasonable protection.  

FTC Safeguards Rule

Financial institutions under the jurisdiction of the Federal Trade Commission (FTC) have their own requirements. And as of 2023, these institutions must take certain measures to keep customer information secure. These companies are also responsible for ensuring that affiliates and service providers are doing the same.  

Failure to do so can lead to fines and penalties that, much like with PII, are not typically covered by cyber insurance.

The new FTC Safeguards Rule extends security requirements beyond banks and credit unions.

SEC Guidelines

In July 2023, the SEC adopted a rule requiring, among other things, the public disclosure of incidents determined to be “material,” board oversight of cybersecurity programs, and ongoing disclosure in SEC filings of the steps, if any, organizations are taking to protect sensitive information.  

“I think the biggest thing is what’s considered material,” Fox said. “You’re supposed to report incidents within four days of determining they’re material. And there’s a lot of concern that people might define that differently. And then how do you handle that in the reporting?”  

While the reporting requirements are intended to equip investors with enough information to make informed judgements, companies may hesitate to disclose incidents. Premature public disclosure can raise several concerns, especially if the organization is negotiating with an attacker or in the middle of a forensic investigation.  

“They may not want the attacker to know they’ve detected them and are taking steps,” Fox continued. “So, there’s a lot of back and forth about whether this is for the better of the public or not. But this kind of reporting is here to stay.”

--

For more information on securing cyber insurance, ensuring coverage when you need it, and maintaining continuous compliance, watch the full Foresite webinar with Tracy Fox.