Early next year, our close friends are getting married in Mexico. By then, we expect travel to be safe again (fingers crossed!), so I got in touch with a travel agent to book a reservation at the resort in question.
Agent: “Do you want the travel insurance?”
Me: “Maybe. Please send me the terms and conditions.”
I’m no insurance expert, but I know it’s important to read these things before signing on the dotted line. Sure enough, there was one detail that caught my eye: “Refund is in the form of a travel voucher to this or one of our sister properties.”
Hmm, that’s not exactly what I had in mind.
To me, this is like your auto insurance company saying that if your car is stolen, rather than writing you a check, they will let you choose a replacement vehicle from whatever they have sitting around in the back lot.
I passed on the insurance.
Cyber Insurance: It’s All in the Fine Print
There is a reason that insurance companies make a lot of money. It’s all smiles and happy handshakes when the premiums are being collected, but when it’s time to file a claim, the exclusions are what keep you and your hoped for compensation far apart.
Cyber insurance is particularly troublesome. Not only does it adhere to the long-held insurance industry tradition of maximizing premiums while minimizing payouts, the companies that offer this type of coverage lack consistent standards and exclusions are rampant.
For example, here are some of the most common exclusions we have encountered in reviewing our clients’ policies:
- Social Engineering Fraud. Most policies cap fraudulent wire transfers and related fraud at an impractically low value. The typical range of coverage is $0 to $250,000, with $100,000 the most common.
- Computer Hardware Replacement Costs. Some policies cap “hardware replacement” at an amount that is far below the overall policy coverage. You may think you’ve got $5M in coverage, until malware bricks all of your computers and you discover that they are classified differently.
- Cryptojacking. This refers to an attacker taking over computers and using them to mine bitcoin and other cryptocurrencies. Here, too, the coverage for this type of event is typically set very low and excluded from the rest of the policy.
So, are these a big deal individually? Not always. But in aggregate, along with other limits and exclusions, your multi-million-dollar cyber insurance policy may not be all that it seems.
Plan for the Worst-Case Scenario
When it comes to purchasing insurance (cyber or otherwise), my rule of thumb is to make sure you are protected should your controls fail and there is a significant loss to your organization – one that you cannot cover with operating funds.
With that in mind, here are five questions worth asking…
#1. Is your broker up to speed?
Many business insurance brokers know a lot about things like Professional Liability and E&O policies. Cyber insurance? Not so much. But this is where a well-informed broker can make a big difference.
If they don’t know answers to these types of questions, you may be skating on thin ice:
- What are the key exclusions in the cyber policy?
- Why did you pick this particular underwriter? Is there another one that has fewer exclusions or better resources for managing a cyber incident?
- Would it make sense to have an “excess liability policy,” to help supplement the base cyber insurance?
- Is this policy integrated with our other insurance coverage?
#2. Is our coverage aggregate limit high enough?
This is a tough one. Here at Fractional CISO we have a risk assessment methodology that we use to help provide some guidance. But sometimes, even your best assessment is not good enough. Who would have thought that Target needed more than $90 million in cyber insurance? Their 2013 hack cost them $300 million.
Still, and Target-level incidents notwithstanding, you should be able to get a handle on how big a potential risk you face given your industry and the way you operate, and balance that against your ability to weather a significant event.
#3. Is your premium “high?”
You’ve no doubt made this kind of decision before as it relates to your home, auto, or health insurance: You can decrease your premium by increasing your retention (the amount you pay out of pocket per incident).
It all comes down to how much you can afford to self-insure in the event of a loss. Often, for mid-size companies, that number is somewhere between $25k and $100k. The premium savings can be significant if you are willing to insure for the worst case, rather than all cases.
#4. Do you know who your pre-approved incident response vendors are?
My what? Exactly.
Some policies state that you are not allowed to use any technical remediator without pre-approval. Others have a sublimit of half of the policy for any non-preapproved vendors. If you don’t know how this works or who your vendors are, you are at risk of diminishing or even nullifying your coverage.
#5. Do you have a cybersecurity coach hotline to call if an incident occurs?
This is often in the form of an app, but you need to sign up for it – something you don’t want to be doing for the first time in the middle of an incident. Make sure this information is included as part of your incident response plan.
Unfortunately, when it comes to these five critical questions, the answers, in order, are often No, No, Yes, No, and Yes, but we are unaware of it.
Final Thoughts on Cyber Insurance
None of this is particularly straightforward or easy. There is a huge amount of variation in insurance companies, policies and, of course, each business.
That’s why it’s so important to not just read and understand what you are signing, but to keep in the loop (from the very beginning), those who are responsible for maintaining your cybersecurity and responding to any negative events.
After all, if whomever executed the policy (e.g., CFO, Chief Compliance Officer) didn’t involve the incident response team (e.g., CTO, CISO, CIO), the latter group may not know (for example) that permission is required before contacting a vendor for assistance. Skipping this step can render even the best of policies useless.
As for me, I’m off to select a used replacement car off the back lot of my insurance company. I knew I should have read that policy more closely…
Want to get great cybersecurity content delivered to your inbox? Click here to sign up for our monthly newsletter, Tales from the Click.