[BreachExchange] 5 Cyber Insurance Policy Gaps that Can Spell Disaster for Companies

[Audrey McNeil]

http://chiefexecutive.net/56157-2/

Between 2013 and 2015, the number of records exposed by data breaches grew
from 49 million to over 121 million, costing companies an average of $201
per record lost, or a total of $9.8 billion.

The growing frequency and cost of cyber attacks has led many companies to
purchase cyber liability insurance. Premiums for these policies are
expected to surpass $20 billion by 2025, up from $2 billion in 2015,
according to Allianz Global.

Despite the growth in cyber insurance coverage, however, policies often
fail to keep up with the latest cyber threats. As a result, many companies
that have been victims of cyber crimes—even those with cyber liability
insurance—have lost profits, struggled to fully recover from attacks, and
have been held liable for cyber damages.

To be fully protected, here are 5 components that a company’s leadership
team needs to ensure are included as part of its cyber liability insurance
policy.

1. Ransomware protection. When ransomware attacks occur, an organization’s
files or entire system are locked until a specified amount of money/ransom
is paid to the perpetrators. 2016 has seen a string of ransomware attacks
targeting a number of industries, especially healthcare. Ransomware
typically comes from either compromised websites or email attachments, and
employees are tricked into opening attachments that then install
ransomware. Due to the large amounts of damage caused by ransomware
attacks, cyber insurance providers are sometimes reluctant to expose
themselves to such a high level of risk, and therefore don’t always offer
ransomware coverage in their basic policies. As a result, companies
considering insurance should ensure that ransomware protection is included.

2. Legal tender vs. monies. As ransomware attacks continue to increase, it
is essential for insurance policies to clearly define and cover both “legal
tender” and “monies.” Legal tender refers to government issued circulating
currency, while monies refer to a medium of exchange that will hold value
for a long period of time. In the cyber realm, this is most often the
Bitcoin, which is the type of payment usually demanded by those committing
a ransomware attack. Companies without coverage for monies may not be
eligible for reimbursement of a paid ransom in the event of a ransomware
attack.

3. E-business interruption. In the digital age, the operation of a
company’s website is often directly linked to its ability to do business
and earn money. However, in the event of a cyber attack, websites are often
disrupted—a server can fail or ransomware may lock a web page. Companies,
especially those that depend solely on e-commerce for their sales, must be
sure that their cyber policy covers e-business interruption.

4. Third-party corruption. One common way that malware is introduced into a
company’s system is through a third party. If a business unknowingly sends
a corrupted email to another business, thereby compromising their system,
the question becomes: who is responsible? The affected business may hold
the sender/third party responsible, even if the harm was unintentional. In
this instance, if the “culprit” is sued by the affected business, it may be
assumed that an insurance policy will cover the costs. However, if coverage
for third-party corruption is not explicitly stated in the policy, it is
likely not covered. As a result, the business that unknowingly passed along
the virus will have to deal with the costs of repairing the damage from the
incident.

5. Exclusions. Even if the four previous components are included in a cyber
liability policy, they can count for little if companies do not carefully
review the exclusions within a policy. For example, a company’s policy may
exclude:

Paper files containing protected information
Unencrypted data
Claims brought by regulators or by the government
First-party notification expenses for disclosing personal health
information, corporate confidential information or personal identifiable
information

As cybersecurity threats continue to evolve, it is vital for companies and
their leadership teams to be constantly analyzing and updating their cyber
liability policies. Failure to do so can have potentially disastrous
consequences.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160812/ea73799a/attachment.html>