[BreachExchange] Cyber Insurance Coverage Gaps May Surprise Many Organizations

Thu Apr 7 20:27:40 EDT 2016

http://www.information-management.com/news/security/cyber-insurance-coverage-gaps-may-surprise-many-organizations-10028580-1.html

Many organizations are turning to cyber insurance policies to help them
cover costs related to information security events, but coverage is complex
and may not provide blanket protection for all costs.

Policies may contain hidden coverage limits, and many times, small group
practices may not realize that gaps exist in their coverage, warns Collin
Hite, leader of the security recovery, data privacy and security group at
the Hirschler Fleischer law firm in Richmond, Va.

Cyber attacks are hitting provider organizations of all sizes, and small
practices are not exempt, Hite says. These practices could be easy prey
because they don’t have sophisticated IT security in place and can’t afford
to fight off an attack, and they typically don’t have redundant backup
systems.

Consequently, small practices need to look into cyber insurance, as have
providers of all sizes, Hite says. However, coverage comes with limits, and
not all of those limits are clear. Language in insurance policies commonly
includes “sublimits,” which “can really play a game of ‘gotcha’ in the
coverage,” he explains.

Sublimits are caps on what the insurer will pay for certain services
covered under cyber insurance. For example, payments for public relations
services following a breach may be capped at $100,000, and if the breach is
sizable, that won’t be enough.

Some types of cyber insurance may include sublimits on credit monitoring
services. If the sublimit is $200,000 and the services cost $225,000, the
provider is on the hook for $25,000. “Work with your broker and underwriter
to assess your needs and costs, but it’s a best estimate, not a perfect
science,” Hite advises.

When purchasing coverage, be proactive to ensure you are getting the
coverage you expect. Work with a broker who really knows the field, because
the security environment and subsequent insurance market are changing so
rapidly, says Hite, who also suggests procuring the services of a cyber
insurance coverage attorney to negotiate with the broker on the policy.

Breaches are expensive; costs are everywhere. There is the cost to
re-secure and rebuild a network; get legal help; conduct forensic
investigations; do the PR work that includes breach notification;
protective services for affected patients; extortion coverage; and other
liabilities. Providers may not be buying insurance that covers all of these
issues, Hite warns.

Provider organizations also may consider buying third party coverage to
address liability claims from affected individuals. To date, most victims
have not been able to demonstrate proof of harm, but if they can in future
incidents, addressing those claims will cost money.

Even after providers assess whether they are buying enough coverage and can
financially handle additional costs once sublimits are reached, providers
must look closely at the definitions contained in the policies. “The real
issue in cyber coverage is definitions of certain terms, which could
exclude coverage,” Hite says.

Coverage goes into effect on the day it was bought, but in instances where
a hacker already has infiltrated information systems before a policy was
purchased, there is no coverage because policies often don’t work
retroactively. Hite advises buying a “retroactive date” policy that covers
the organization back at least one year.

Organizations with the financial and technical means should have a strong
response team in place with everyone knowing what their duties are if an
attack comes. Smaller providers, however, are more reliant on external
help. But there is homework they can do now to be better prepared later on.

Insurers will give providers a list of available law firms for which they
will pay. Pick a firm and start a relationship with the firm immediately,
regardless of your organizational size, Hite counsels. This way, “you’re
not figuring out things on the fly about getting forensics, a law firm and
credit monitoring,” he says. “This is a risk management and brand
management issue.”
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160407/0d905369/attachment-0001.html>