Just when you thought you were covered…
A few years ago I entered the world of Cybersecurity. As a newcomer on the scene, I wasn’t entirely sure what I would think of this new space. It turns out that it wasn’t before long that it really grew on me since I was genuinely interested in technology or at least that’s what my 6 hours and 23 minutes of iPhone screen time each day would suggest. Of course, I could now tell anyone who asked what I do for a living, that “I work for a tech company,” which admittedly sounded pretty cool.
As I began to dive into all things Cybersecurity and familiarize myself with best practices, trends, and the hard hitting data—I found myself struggling to believe how any of these statistics could possibly be real.
I’m betting many of you have felt like this before. Just take a look at some of these statistics...
A cyber attack occurs every 39 seconds.
594 million people affected by cyber crime each year.
400% increase in cyber crime during 2020.
Ransomware up 148% and phishing attacks up 600% in 2020.
60% of small businesses close within 6 months of a cyber attack.
How could this all be real, or accurate?
As you begin to take more of an interest in something, you start noticing it in more places. The word breach could not avoid the headlines I was reading each day. Facebook, Marriott, Twitter, Microsoft, Equifax, Canva, and Barnes & Noble as I type this out. To make matters worse, now small businesses have become a primary target for cyber criminals. Which is a huge issue because 43% of small businesses lack a cybersecurity defense plan or strategy.
I found out very quickly just how big of a deal cybersecurity is and how big of a responsibility it is to keep your technology safe. The threats to your business are nearly constant! Even with a team of cybersecurity professionals on watch (very few have these resources) and the best tools to support your defenses—there is no guarantee you can keep hackers out of your business.
It’s no wonder why the Cyber Liability Insurance market is BOOMING and for good reason too.
Cyber Liability Insurance is still a relatively new kind of insurance that is meant to help businesses respond in the event of a cyber attack on their network or system. And, while Cyber Liability Insurance provides a safety net for each business walking the tightrope that is today’s digital world—they still haven’t ironed out all the kinks.
Sometimes the Cyber Liability Insurance market can be referred to as the “Wild West.” This is meant to illustrate how confusing Cyber Liability Insurance policies have proven to be. Depending on the insurer, what is actually covered can be two completely different stories and policy language will often lead the insured to believe they are covered when they are not. Understanding common Cyber Liability Insurance policy exclusions is an important step in protecting your business and preventing unwanted surprises.
Below are a few of the most common Cyber Liability Insurance policy exclusions that prevent the insured from receiving full payout during a claim:
Failure to Maintain
Failure to maintain refers to when a business fails to implement or maintain “minimum” security standards as explained in their Cyber Liability Insurance policy. Insurers are known to include language in a policy that can be used as an exclusion of coverage if a business does not keep to a certain level of security. Depending on the policy, minimum requirements can vary greatly ranging from a list of security best practices laid out by the insurer to industry standards which many have come to find are not always clearly defined. And then sometimes it’s a mixture of both, which can create a lot of confusion in understanding your Cyber Liability Insurance policy.
There are a number of things you can do to protect your business from a Failure to Maintain exclusion like monitoring your environment, regular system maintenance, following cyber security best practices, and employee training. But, it is still recommended that businesses seek the guidance of an IT or compliance professional that can clarify policy terms and make sense of exclusions, remaining compliant with your Cyber Liability Insurance policy by exercising at the very least, minimum requirements.
Cyber Extortion
Cyber extortion attacks like Ransomware are up 148% this year making for a very important exclusion conversation. Cyber extortion clauses can often be misleading as to what is actually covered. This occurs most commonly when trying to figure out if a policy covers losses suffered as a result of a cyber extortion attack that go beyond the “demand” or money requested to restore your data. During a ransomware attack, hackers encrypt your files and demand a ransom fee that must be paid to regain control of your data. While these fees are not cheap, this may only be the tip of the iceberg in comparison to the damages that occur from lost income during the time your system is held hostage.
If your policy will only help cover the ransom or extortion fee, your business may be on its own in dealing with lost income due to a cyber extortion attack—this is not ideal. Take time to carefully review your Cyber Extortion Clause to understand limits, sublimits, deductibles, and time deductibles to avoid any last minute surprises.
Social Engineering
Social engineering schemes involve the psychological manipulation of unsuspecting employees to trick them into handing over sensitive information or providing access to private systems. This will typically occur through a phishing email where a hacker poses as an executive, vendor, or client, but can also happen via phone call or even in-person. With a 600% spike in phishing attacks this year, many Cyber Liability Insurance policies view social engineering attacks as a gray area and include loopholes that allow Insurers to deny coverage. These exclusions can apply when an employee voluntarily transfers money on behalf of the company, when a fraudulent request was completed over the phone instead of a computer, or when losses don’t directly impact the insured (your business), but rather the insured’s clients (your clients).
It is recommended to make sure that your Cyber Liability Insurance policy includes a social engineering endorsement, rather than having to depend on a computer fraud and forgery clause to address social engineering issues. Take time to review your social engineering endorsement because not all endorsements are created equally.
PCI Fines and Assessments
Any company that accepts credit cards or stores credit card information must be PCI compliant—those are the rules. PCI is a set of security requirements to make sure businesses that process credit cards are taking the appropriate steps to protect customer data and reduce the chances of having it stolen. When these standards are not met, the possibility that cyber criminals could compromise a businesses financial information and use it fraudulently increases drastically. If your business is breached and found non-compliant with PCI, you may be subject to PCI fines and assessments.
Insurers have consistently limited or denied coverage for PCI fines and assessments. While PCI fines may only reach $100K, PCI assessments can be very costly. There are also cases where insurers will group PCI fines and assessments together with a sublimit that leaves the insured with less coverage than they had understood due to vagueness in policy language. Again, businesses should thoroughly review their Cyber Liability Insurance policies and request the help of a seasoned compliance professional to be sure they purchase an appropriate policy for their business.
In Conclusion
Cyber Liability Insurance is not a luxury in today’s digital world—it’s a must have.
During a time when cyber attacks and cyber crime are spiking to never before seen record highs, Cyber Liability Insurance is there to help your business respond in the event of a breach. Since odds suggest your business will experience a cyber incident at some point, this is one type of coverage you do not want to overlook. Most businesses assume that losses resulting from a cyber attack will be covered by their Cyber Liability Insurance policy, this is not always the case. While navigating Cyber Liability Insurance policies can be challenging, do not risk learning this lesson the hard way. Get assistance from a compliance professional that can make sure you invest in the right policy to protect your business while carefully explaining the fine print so you understand your coverage fully.