What You Need To Know About Cyber Insurance

Julian Cohen
5 min readJun 29, 2020

--

Many organizations use cyber insurance to satisfy legal or regulatory requirements, as a financial risk mitigation, or as a last resort control. However, most folks don’t know where their insurance policies fall short. Here’s what you need to know.

Types of Insurance

Business Owners Policy (Commercial Business Policy) — An insurance package policy that typically includes Commercial General Liability (CGL) Insurance that covers liabilities like bodily injury, property damage, and personal and advertising injury (slander and false advertising) and Commercial Property Insurance (CPI) that covers equipment, inventory, and furniture against theft and damage (not flood damage).

Errors and Omissions (E&O) Insurance (Professional Liability Insurance) — A form of liability insurance which helps protect professional advice- and service-providing individuals and companies from bearing the full cost of defending against a negligence claim made by a client, and damages awarded in such a civil lawsuit.

Directors and Officers (D&O) Insurance — A type of liability insurance that protects company executives and board members from lawsuits. It covers defense costs, monetary damages, settlements, and awards for defending against claims made by shareholders or third parties.

Crime Insurance — An insurance policy that covers dishonest acts like petty theft and funds transfer fraud committed by part-time staff, volunteers or contractors, property damage, and burglary.

Specie Insurance — A specialty lines insurance product intended to protect highly valuable physical assets, such as fine art, precious metals, gems, securities, jewelry, cash, and cryptocurrency. Specie insurance may come with additional physical security requirements.

Cyber Insurance — A specialty lines insurance product intended to protect businesses from breaches, Internet-based risks, and more generally from risks relating to information technology infrastructure, information privacy, information governance liability, and activities related thereto.

Coverage Scenarios

Loss of Value — If a software or security issue results in the loss of assets, cash, or intellectual property. This is not covered by cyber insurance. You will need an errors and omissions policy or a crime policy that covers loss of these items.

Theft — If an adversary steals assets or intellectual property. This is not covered by cyber insurance. You will need a crime policy for coverage. Theft of office items like laptops and other equipment may be covered by your business owners policy.

ACH Fraud or Wire Fraud — If one of your employees or malware sends funds fraudulently to another person and they can’t be returned by the bank. This is not covered by cyber insurance, but may be covered under a crime policy.

Social Engineering — In some cases, your cyber policy may cover wire fraud if an adversary tricks an employee into sending funds to a fraudulent account. This is covered under a social engineering carve out and often has very specific requirements.

Stolen or Lost Personal Records — If an adversary steals (or you accidentally leak) your customer records (PII or personally identifiable information). This is covered by cyber insurance, but typically only costs related to response and containment are covered, like an investigation, setting up credit monitoring for affected customers, and any civil damages. Any reputational damage, data loss, and other costs related to the breach are typically not covered.

Denial of Service and Outages — If a malicious adversary is the cause of an extended outage, resulting in loss of revenue. This is covered by cyber insurance, but there may be a minimum outage duration and a waiting period for your claim to be approved. Other kinds of outages caused by disaster, fire, or flood may be covered by your business owners policy as a business interruption (note that your business owners policy may have an act of god exclusion).

Extortion — If an adversary threatens downtime with a denial of service attack or a payment is required to reverse a ransomware attack. This is covered by cyber insurance, but there may be large deductibles and other exclusions that prevent a claim from being paid. Also, pay attention to the common exclusions below.

Common Exclusions

Negligence or Failure in Security Measures — As part of your cyber policy, you are required to attest to and maintain a minimum set of security controls and policies. If these controls and policies are determined to be lacking at the time of a breach, a claim may be denied due to negligence.

Act of War — This is typically described as any “war-like activity”, which of course can be left to the insurance company to interpret in any way that suits them. Any breach that can be attributed to a state-sponsored adversary or any international conflict could result in a denied claim under an act of war exclusion.

Terrorism — Similar to the act of war exclusion, this gives the insurance company a lot of leverage. If your data was deleted or stolen by a politically-motivated adversary for the purposes of a political or religious statement, a claim may be seen as terrorism and not covered.

Loss Payee (or Additional Insured)— If you are affected by a breach that doesn’t happen to you, it’s very difficult to be awarded a claim unless you are designated a loss payee or additional insured on the policy of the covered entity.

Employee Dishonesty — If an employee steals customer records (PII), assets, or funds, this may not be covered under your cyber policy or other policies unless you have specific coverage for employee dishonesty.

What this means for regular people

While there are often strict security and compliance requirements for obtaining cyber insurance, this means that it’s easy for large organizations that don’t care about your privacy to write off the risk of losing your personal information. While there still may be reputational damage done, all the costs and PR will be covered by insurance. And let’s be honest, a loss of customer information doesn’t cause long-term stock price damage or long-term customer disloyalty.

What this means for organizations looking to purchase cyber insurance

Most organizations will need and have cyber insurance, but don’t let it fool you into a false sense of security. While cyber insurance can be useful, it certainly isn’t a meaningful mitigation against many worst-case scenarios. Know what scenarios are covered and not covered under your policies and make smart decisions based on that.

--

--

Julian Cohen
Julian Cohen

Written by Julian Cohen

Risk philosopher, CISO, Program builder, Advisor, Investor, Ex-vulnerability researcher, Ex-CTF organizer and competitor.