Cyber insurance is a critical form of risk management, designed to mitigate the financial impact of a breach or other security incidents. By spreading the risk, it helps reduce the potentially catastrophic consequences to manageable levels. Cyber insurance is a fundamentally financial tool that is often handled by the financial or insurance arm of any organization, with strong involvement of the cyber security teams. While complex, this blog aims to simplify the essentials.
Key players in the cyber insurance market (insurers, brokers, reinsurers) assess the risk profiles of thousands of organizations and develop financial products to cover these risks.
Factors that affect your cyber insurance cost and coverage
The cost and coverage of a cyber insurance policy depend on several factors, including the potential size of a cybersecurity claim (the “coverage”), the organization’s level of security and the criticality of its cyber risk. Insurers offer policies that are within the insurers acceptable risk tolerance levels.
For example, healthcare organizations often face higher insurance costs because they are prime targets for attackers due to how extremely valuable business continuity and personal data are to the victims. To control ballooning costs, insurance companies may refuse to offer policies to organizations deemed highly vulnerable to cyber risks. For more details on qualifying for cyber insurance and reducing policy costs, check out our cyber insurance guide.
Read the fine print: Understand policy exclusions
One primary reason a cybersecurity claim might get denied is due to exclusions. Insurance is worth only as much as the certainty of a payout when disaster strikes. If you can’t rely on your insurance policy to cover the security incident, then it’s not a great pillar for your risk management strategy. So, let’s explore the key considerations surrounding denied cybersecurity claims.
Every insurance policy outlines the terms and conditions for eventual payout, detailing which risk events are covered and which are excluded. Traditional insurance policies use somewhat standardized language for this, which has been tried and tested in courts, providing fairly clear meaning for all stakeholders, including potential judicial review.
Exclusions get a bad reputation for denied cybersecurity claims, but these are valuable tools for controlling the price of the policy. Businesses can pick and choose what kind of coverage they need, and safely exclude risks that they can afford to ignore. Armed conflict can cause massive devastation, leading to extraordinary claims. To balance this threat with appropriate revenue, policy costs would have to be astronomical. The solution was to create specialized insurance products which offer war coverage for those who need it, keeping costs reasonable for standard policies.
Cyber insurance is still a relatively new field, and contractual language is not well tested in legal proceedings, while also lacking some industry-wide standardization. That’s why recent lawsuits around cyber insurance have gotten so much attention: courts are sorting out what specific policy language means and setting valuable precedents for the future. This is changing quickly, the recent Maersk judgement, and a new set of standardized legal language is going to clear up the foggier areas.
To avoid the unpleasant surprise of a denied claim, you’ll need to ensure that you have a good understanding of your policy exclusions and inclusions, and that the policy you’re about to sign covers all important risk events, and none of the unnecessary ones.
You need to prove what you claim
Every cyber insurance application has an extensive, multi-page self-assessment form which asks the applicants to describe in detail their cybersecurity posture. This assessment serves as the basis for modeling the insurance policy, and your costs will directly reflect your cybersecurity posture. More vulnerable organizations should expect to pay more, while companies with mature cybersecurity programs will pay less.
What a lot of organizations fail to realize is that this self-assessment is part of their insurance contract – it’s not a meaningless bragging sheet. Your organization’s claimed level of security is expected to be maintained throughout the contract period, and insurers also expect organizations to prove their security levels, in the case of a breach.
Case study: Travelers v International Control Services (ICS)
A key precedent in the cyber insurance realm is the case of Travelers v International Control Services (ICS). In this case, a denied cybersecurity claim made its way to a lawsuit. The case hinged on ICS claiming it had multi-factor authentication (MFA) in place when it applied for a cyber insurance policy. Flash forward – the company experienced a ransomware attack and forensics investigators determined that ICS did not have MFA as claimed. Travelers denied the claim, asserting that ICS falsely represented its level of cybersecurity, voiding the contract.
The implications for policyholders
The judgment clarified that policyholders must maintain the security posture indicated on the self-assessment form, and (probably even more important) be able to prove it. For any organization filing for cyber insurance, self-auditing, extensive logging and enterprise-grade reporting are non-negotiables in their security tools.
An important question for every CISO: do you have precise records that prove that user X had MFA enabled at a specific timestamp? Is that proof admissible in court? Is it tamperproof?
Cyber insurance is a team effort
Cyber insurance requires teamwork. Work with your risk management expert and your legal team. If you’re a member of the IAM or cybersecurity team of your organization, your expertise might not cover the finer legal details of your insurance contract.
If you’re part of a small organization without in-house experts, make sure to work with an external partner. Your broker might also be able to help you match legal language with your specific risk management needs. Skimping on details might come back to bite you later.
Conclusion
Securing solid and affordable cyber insurance and ensuring your cybersecurity claims are honored requires understanding your policy exclusions and maintaining your stated security posture by implementing the right solutions and strategies. By carefully managing these elements, you can strengthen your risk management and avoid the devastating experience of a denied cybersecurity claim.
If you found this blog interesting, keep reading! This eBook outlines how to qualify for better deals on cyber insurance policies by proving the maturity of your security program.
