Ransomware attacks and data breaches are all over the news; naturally businesses are interested in acquiring coverage to help protect themselves financially from these threats. When evaluating Cyber Insurance, most businesses focus on coverage limits. However, the biggest concern is reviewing the actual policy clauses rather than just the coverage limits. You can have a $5 million policy, but if the claims are denied due to unnoticed clauses in the policy, then the coverage limit doesn’t really matter. The devil is in the details.
Key Items to Look for in a Cyber Insurance Policy:
- Cyber Extortion/Ransomware
Does the policy only cover the ransom payment, or do you have an option to resolve the incident without paying the ransom and have those costs covered?
- Data Loss & Recovery
Are lost productivity/business losses covered in the event of malware erasing your files? Are data recovery costs included in the coverage?
- Civil Suit Coverage
Is reimbursement for defending against civil suits brought by victims of fraud or identity theft resulting from a breach of your business’s data covered?
- Fines & Breach Notification
Are regulatory fines (HIPAA, NYS DFS, etc.) and/or the costs associated with disclosing, notifying, and providing credit monitoring for victims whose data was lost in a breach of your business data covered?
- Cyber Terrorism/Act of War Coverage
If a cyberattack is deemed to be the result of a foreign government or terrorist group’s action, will it still be covered? What is the threshold for this determination?
- Actual Financial Loss & Remediation and Investigation (value of cash/goods lost due to fraud & IT and legal professional costs)
Are both of these items included in coverage, is it an either/or, or is only one side of this covered?
Some policies exclude anything that originated from Social Engineering or that might be covered under your general Business Insurance policy. What specifically is not covered under the policy?
Not all policies offer the same coverage and it’s important that you carefully review this new product with your insurance agent to make sure you’re financially protected in the manner you’re expecting. Your Cyber Extortion policy may only cover paying the ransom (which may or may not actually result in restoration of your files) and may not cover the cost for IT professionals (like LMT) to restore data from backups. If that’s the case, you’re gambling that the criminals victimizing you have purchased or written ransomware that can actually restore all your files. There are a large number of reasons the criminals behind the ransomware may not be able to restore the files – see our previous post “Should I Pay the Ransom?” for more details on these.
“Your Cyber Extortion policy may only cover
paying the ransom and may not cover the cost for
IT professionals to restore data from backups.”
One prime example of a reason to carefully review the Cyber Terrorism/Act of War portions of your coverage is the ongoing case of Mondelez International, Inc. v. Zurich American Insurance Co. In this case, Zurich Insurance company is denying a claim for damages caused by the NotPetya “Eraserware” (it was supposed to be ransomware but ended up wiping out the data instead.) Since NotPetya’s development had been attributed to the Russian government as an offensive weapon against Ukraine, Zurich claims that the loss was not covered under the Cyber Insurance policy because it is seen as an “act of war.”
Additionally, claims can be denied if your company isn’t making its best effort to protect their systems. Reviewing what your insurance company requires as adequate effort on your company's part, and understanding the clauses they have in place, is as important as the limits they offer.
Coming up later this month: "Cyber Insurance: Are Your Limits Enough?"
James Keeler, CISSP
LMT Cybersecurity Manager