Those of us with experience in IT security know there are some risks we just can’t mitigate. In such cases, many of us seek out risk transference through cyber insurance. Case in point: When a well-financed mercenary hacking team overwhelms our defenses, we need a remedy to make us whole and keep the business afloat. But, some of us have had a rude awakening when we find out that the coverage we’ve spent tens of thousands (or even millions) of dollars a year on fails to honor our claim. What is going on? Our backs against the wall, we end up in litigation with our insurance carrier, only to come out the loser, again.
This is exactly what happened with Ameriforge Group, a victim of an email scam in which a company’s chief executive was impersonated. The losses to Ameriforge were worth nearly half a million dollars. But the insurance carrier1 claimed the company’s coverage was for forgery of financial instruments, not fraudulent emails that executives were tricked into following.
This story is not an aberration. For the past year, F5 Labs researchers have heard many CISOs complain that cyber insurance isn’t to be trusted at face value. One prominent CISO, who chose to remain anonymous, flat out said, “Cyber insurance is B.S.,” adding, “No one will actually cover claims. It gives you a false sense of control.”
Although every CISO might not believe the situation is quite that dire, there is unquestionably a shortage of corporate attorneys who understand the nuances of cyber insurance. Without qualified legal help, you can easily find yourself without a safety net when you need it most.
What kind of coverage gaps are people seeing? One of the most obvious is the base deductible. Some policies vary the deductible amount based on the type of loss, and some losses aren’t covered unless they exceed $500,000. In other cases, organizations wrongly think their standard business loss insurance covers cyber loss. In a 2013 case, a hacked company was denied payment because its policy applied to property damage—and electronic data wasn’t considered “tangible property.”2
There are subtler forms of coverage gaps, as well. In the world of business loss and the law, there are different classes of damages, depending on when and how they occur. Direct damages describe immediate losses, such as system outages or recovery of lost data. Incidental damages are the result of an attack, such as lost wages or time. When purchasing policies, some companies will waive these types of coverage without understanding the implications. Lastly, consequential damages describe losses that occur sometime after (and as a result of) a breach, for instance, the loss of revenue when you’re unable to serve customers for several days. In a 2016 case, a restaurant chain’s cyber insurance covered direct damages of a data breach, but left the restaurant high and dry for millions of dollars in fees and assessments associated with fraudulent credit card chargebacks3.
The savvy CISO will have done a detailed impact analysis for all major threat scenarios before shopping for cyber insurance. He or she will know what the response costs and services are going to look like and then make sure specific coverage is purchased for what’s needed. The list of possible impacts can include:
- Direct monetary losses from electronic theft, phishing, email scam, or other types of cybercrime.
- Losses due to cyber extortion, such as DDoS blackmail or ransomware.
- Losses related to mitigating and investigating an incident, including computer forensics and consultants.
- Losses due to downtime, which includes customer revenue, worker productivity, and increased operational costs.
- Loss or damage to data or software, including costs associated with replacing, patching, recreating, or restoring things to the way they were before the incident.
- Expenses associated with remediation activities, such as new control purchases, application design enhancements, monitoring, supporting staff, etc.
- Expenses associated with customer breach notification, including public relations, legal consultation, postage fees, and telephone support.
- Expenses associated with customer compensation because of the incident, including credit monitoring, service level agreement penalties, refunds, and contractual violations.
- Expenses related to liability exposures due to the incident, such as investigator fees, legal defense costs, and civil court damage costs.
- Expenses due to third-party liability exposures, including loss or corruption of third-party data or service.
Note that some insurers may require organizations to complete a full control remediation to ensure the incident does not recur. Failing to fix the root cause of the incident may void future coverage.
Sometimes cyber insurance claims are denied because an organization disqualified itself. A hospital group’s claim for losses associated with a privacy breach was turned down because its systems were not properly patched.4 The hospital group had claimed on its application form to be performing many standard secure practices, but those practices had lapsed. This was sufficient reason for the insurer to deny payment.
Applying for insurance can sometimes be a grueling process involving detailed questionnaires and lengthy technical interviews. During this time, organizational responses must be complete and honest, otherwise the viability of the insurance contract could be annulled.
This is a significant risk in cyber insurance because many IT security practices are not 100% perfect, and occasionally there are operational lapses. Many hackers take advantage of these lapses, and that is how organizations get breached. But, with insurance policies that disqualify payment for failure to continuously implement the proper controls, an organization can easily find itself out of coverage when it’s needed most.
What constitutes failing to continuously implementing the proper controls in the face a breach? How about an incident that originates from a user violating security policy, knowingly or otherwise? CISOs know that policy violations are all too common, especially in the age of cloud-based services and BYOD. How about a user who was phished? One cyber insurance company rejected a claim because a user was phished.5 The insurance company ruled that the access was “authorized,” even though the victim was tricked into giving the authorization.
CISOs should know all the possible impacts and costs of a breach and match them to their cyber insurance policies. Having legal help from someone with deep expertise in this area is a prudent investment before purchasing. If you can’t afford comprehensive coverage, then you could consider a catastrophic plan that covers just the worst-case scenarios. Whatever cyber insurance policies you purchase, make sure to read the fine print very carefully rather than assuming a policy provides the right coverage.