[BreachExchange] Cyber Security Insurance: Nine Questions to Ask to Determine Your Exposure

Audrey McNeil audrey at riskbasedsecurity.com
Mon Jul 2 18:05:16 EDT 2018


https://www.jdsupra.com/legalnews/cyber-security-insurance-nine-questions-
91584/

There is an increased interest in cyber security insurance for businesses
amid frequent news of computer hacking, network intrusions, data theft, and
high-profile ransomware attacks.  Since cyber security insurance is
relatively new to the market, many companies lack a basic understanding of
what their policy covers and what it may not.

Questions to ask your insurer:

1.    Does my policy cover my vendor’s errors in addition to mine?  Vendor
management is becoming increasingly important for businesses, especially
those that deal with sensitive information (i.e. financial services or
health care).  It is important to identify whether your cyber policy covers
your loss of data when it is in someone else’s possession.  For example, a
policy may reference coverage for “your computer system” but the definition
of “your computer system” might exclude (or not reference specifically) the
cloud or networks run by third-parties.

2.    Does my policy cover “inside the house” risks?  Employees are the
single greatest threat to a business’ cyber security.  Many cyber policies
only cover the malicious theft or destruction of data from an outside
source, but studies have found that many times it is employees who are
unintentionally and unwittingly contributing to data loss and breach.

3.    Does my policy cover cloud-related risks?  Certain insurers have used
“sub-limits” or lower limits of coverage that cap the amount available for
claims specific to cloud-based risks for cloud users.  Also note that some
policies will have an exclusion for liability assumed through contract by
the cloud provider.  This means that your cloud provider may have far less
liability coverage for your data than you assumed.

4.    Does my policy apply retroactively?  It takes an average of 256 days
for most businesses to identify a malicious attack.  If the attack occurred
prior to you obtaining the policy, you may run the risk of your insurance
not covering it.  Some insurers will offer retroactive coverage for an
additional premium.

5.    Is my policy limited geographically?  Some policies limit coverage to
the United States or put restrictions on how far from your place of
business events or incidents must take place in order to be covered.  If
you are using cloud-based services, those servers could be located outside
of the U.S. or could be thousands of miles from your business’ headquarters.

6.    Does my policy cover physical breach?  Claims relating to a cyber
attack on your systems are covered, but what about physical breaches?
Phone systems, security cameras and other systems that are controllable
through the internet are all exploitable.  It is important to have a clear
understanding of which insurance product covers the physical aspect of a
breach.

7.    Who is my contact in the event of breach?  A set claims process
following a cyber-security incident is something an increasing number of
insurers are implementing. It is important to understand your insurer’s
policy and know who your point of contact will be in the event of a breach.

8.    Can I get a reduction in premiums if I implement certain
policies/procedures?  Many insurers will offer you lower premiums or
renegotiate your existing premiums if you can demonstrate you have taken
concrete steps to manage your information security risks.

9.    Does my policy cover PCI-DSS Assessments?  One of the more common,
and expensive, cyber liability risks is card payment processing
information.  The Payment Card Industry Data Security Standard (PCI-DSS) is
a proprietary information security standard for organizations that handle
branded credit cards from the major card schemes including Visa,
MasterCard, American Express, and Discover.  From these standards, the
credit card industry sets assessments for data breaches involving credit
card information, and fines and penalties for violation of the PCI-DSS.
Coverage for such liabilities often requires a specific policy or coverage
type.

The question of whether other insurance policies provide coverage for cyber
incidents is hotly contested, but one that can be expensive to litigate.
For that reason, it is important to fully understand existing coverage of
cyber incidents.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20180702/608b146c/attachment.html>


More information about the BreachExchange mailing list