Despite the ever-increasing prevalence of cyber attacks, the field of cyber insurance is still relatively new and evolving.
Insurance companies are constantly rewriting their cyber insurance policies in response to the evolving nature of risks. As cyberattacks grow in sophistication, insurance companies, attempting to minimize their potential exposure, are writing new policies aimed at imposing heavier burdens and conditions on corporate policyholders.
Although every policy is different, there are recurring issues that insurance companies raise to avoid paying the full amount of a cyber claim.
Savvy policyholders who are aware of these common issues, outlined below, will be able to work around them effectively, maximizing their potential for insurance recovery in the event of a cybersecurity claim.
This article examines some typical policyholder mistakes that insurance companies have used as a basis for reducing coverage.
1) Complete your cyber applications with your IT security officer or employee
Cyber insurance applications have become more specific and targeted in their questions about your cybersecurity infrastructure and controls. Insurers may use any inaccuracies in your claim responses as a basis for trying to avoid coverage.
For example, a 2019 cyber renewal application from the Travelers Casualty and Surety Company of America asks applicants if they have up-to-date active firewall technology; up-to-date active anti-virus software on all computers, networks and mobile devices; a process for regularly downloading and installing patches; a disaster recovery plan; multi-factor authentication; data encryption practices; and comply with payment card industry security standards.
Such technical issues are usually beyond the knowledge of non-IT personnel who are typically responsible for insurance claim submissions.
In addition to requiring detailed claims, it is not uncommon for insurance companies to now require separate certification forms for specific security checks.
These attestations may list the minimum requirements that must be in place to obtain cyber coverage.
An insurance company’s multi-factor authentication attestation form, for example, asks candidates not only if they have multi-factor authentication for employees when accessing the system through a website or service cloud-based (for example, when connecting remotely from home), but also for internal, non-remote access to the administrative directory, firewalls, routers, terminals and services (for example, when direct connection from the office).
When completing such claims, it is important to remember that any inaccuracies may be used by the insurance company as a basis for denying your claim.
This is of particular concern in jurisdictions, such as New York, that allow an insurer to cancel a policy based on a clerical error in an application for insurance – even when that error was not made intentionally by the insurer. policyholder.
(See NY McKinney Insurance Law § 3105, which allows the insurance company to cancel a policy based on a material misrepresentation in an application for insurance if the insurer can demonstrate that it relied on this misrepresentation when issuing the policy; willingness on the part of the policyholder is not required.)
Since an unintentional error in completing a cyber application can arguably be used as a basis for denying coverage, the application should be completed either by an IT security officer or employee, or in close consultation with him.
2) Identify and remediate cybersecurity vulnerabilities before an attack
Regularly assessing your system’s vulnerabilities and installing timely patches not only helps prevent cyberattacks, but also minimizes an insurance company’s ability to deny coverage for your remediation and recovery costs. on the basis that these costs constitute improvements to your system.
A cyber policy may be written to prohibit coverage of system “upgrades”, “improvements” or “improvements”.
If your policy contains such provisions, your insurance company may claim that some system recovery costs are for unnecessary upgrades and attempt to disallow those costs on the grounds that the cyber policy is not intended to cover upgrades made by an insured to his system before the attack.
3) Hire cybersecurity experts pre-approved by your insurance company if your policy requires it
Cyber insurance policies can only cover cyber costs incurred through the use of cybersecurity professionals approved by the insurer.
Before hiring outside cyber consultants or performing investigative, restoration, or forensic recovery work on your system, check your policy to determine if it requires you to choose from a pre-approved list of consultants designated by the insurer. Some policies allow the policyholder to engage an e-consultant who is not on the insurance company’s list of designated professionals, but only with the insurance company’s prior written approval.
If you hire someone who is not on the insurance company’s pre-approved list of cyber professionals and you do not obtain the insurance company’s prior written approval for retention, the insurance may use this as a basis for attempting to deny or reduce coverage for your claim.
As a general rule, it’s a good idea to review your policies before a claim occurs and do so regularly enough (eg, semi-annually) to familiarize yourself with their coverages, requirements and limitations.
4) Review and note any non-cyber policies that potentially cover your claim
Review your non-cyber policies to determine if they potentially cover cybersecurity-related losses and provide what insurance companies mistakenly call “cyber silent” coverage (it’s not “silent” if the coverage subsidy l ‘includes).
Such potential coverage can be found in your general liability policy, your first party property policy, your D&O policy, and your crime insurance policy, among others.
For example, a crime insurance policy may cover the ransom paid to attackers to free up access to your system, files, and information following a ransomware attack.
This is similar to G&G Oil Co. of Indiana, Inc. v. Cont’l Western Ins. Co. (Ind. 2021 Mar 18), which concluded that ransomware payment could be covered under the “computer fraud” provision of the Crime Policy, even if the policyholder declined the extension of the policy. font for hacking and virus coverage. This case was returned to the trial court.
5) Your policy may require you to mitigate damage caused by a cyberattack, but don’t assume the insurance company will agree to pay your mitigation costs
Just because the policy requires you to mitigate the damage caused by a cyberattack doesn’t mean the insurance company will agree to cover your mitigation costs.
If the policy does not explicitly say that it covers mitigation costs, the insurance company may attempt to decline coverage for those costs that are not otherwise expressly covered by any of the policy’s coverage provisions.
For example, if you use your own IT and cybersecurity employees to respond to an attack, the insurance company may refuse to cover employees’ wages for the time they responded to the attack, and may claim that it has no obligation under the policy to cover employee salaries, as these are part of the insured’s normal operating expenses and would have been incurred in the absence of the cyberattack.
The insurance company may claim that these costs are not covered even if your IT employees are working exclusively to respond to and recover from the cyberattack and are not otherwise performing their normal duties and functions.
Additionally, the insurance company may deny coverage even though using your own employees ultimately reduces your cybersecurity losses (as well as the insurance company’s potential exposure) and allows you to resume operations faster due to your employees’ familiarity with your system and their ability to begin breach response immediately.
6) Don’t assume the insurance company is acting to protect your interests
A common mistake policyholders make is to assume that the interests of insurance companies are aligned with their own. Suppose instead that the objective of insurance companies is to maximize their profits and that they will deploy all available coverage and policy exclusion defenses to reduce their payouts.
In the context of cyber liability insurance, in particular, the insurance company may ask you to hire a forensic accountant or cyber claims consultant from its designated roster of appraisers to help you assess your cyber disaster.
In such cases, do not assume that the adjuster recommended by the insurance company represents your interests.
This appraisal consultant is beholden to the insurance company, which he sees as a source of loyalty, not to you. If you find yourself in this situation, it is best to hire your own independent professional with expertise in cyber liability claims to advise you in your dealings with the insurance company and third-party assessment consultant.
Insurance is probably the last thing on your mind, or certainly not at the top of your list, when you’ve suffered a cyberattack. For this reason, it is important to plan ahead, educate yourself, know and understand your rights and obligations under your cyber policy and other potentially reactive policies now, so that you are better able to protect your business in the event of a cyber-attack. &