Businesses of all sizes are now commonly purchasing "cyber insurance” coverage to protect against financial losses from data security incidents. But these policies—which are not written on standardized forms—can vary widely in what they cover. Here are some common gaps in coverage to watch out for.
Inadequate business income or business interruption coverage.
Many businesses that have had a data-security incident find that the disruption to their business is more harmful than the data that is stolen or otherwise compromised. Coverage is available for business income lost due to an incident, but it is often subject to a sub-limit that may be inadequate, or there may be a waiting period before the coverage will kick in and it may be too late to provide real relief.
Social engineering fraud is not fully covered.
One of the major cyber causes of loss these days, called social engineering fraud, may not involve any hacking at all and is therefore usually not covered under a cyber policy. Social engineering fraud occurs when a criminal tricks a company into sending money to a fake business or bank account. Or the criminal may impersonate the CEO or another high-ranking company official and ask for W-2 information from its employees. This often happens when the criminal is “spoofing” an e-mail address, creating what appears to be a valid e-mail address and asking for money to be spent (or soliciting W-2 information) without any hacking at all. This type of trickery may not be covered under a standard cyber policy because it’s not technically considered “hacking” under the policy language. Instead, social engineering fraud is usually covered through an endorsement of a crime or other similar policy. Here again, watch out for sub-limits that are too low.
Limited choice of counsel/forensic vendors.
Many cyber policies limit the policyholder to pick from a short list (sometimes 3 or less) of legal counsel or forensic computer service to investigate and deal with the aftermath of an incident. More problems may arise if a conflict develops with one of these preferred vendors, or if they are not sufficiently familiar with your business to hit the ground running. It is possible, although often more expensive, to either buy coverage without such restrictions or to ask that these preferred vendors be “pre-approved.”
Limited coverage for cloud-related risks.
Because cyber coverage is not standardized, policies may differ in whether they will provide coverage for a data-security incident at a cloud storage vendor who houses your data. For example, some policies may cover liability risks (lawsuits) arising from such an incident, but may not cover the cost of investigating that incident or the downtime caused by the disruption with the cloud provider. Coverage may also exclude any costs you incur pursuing a remedy from your cloud storage vendor. If your business, like many, is heavily reliant on a cloud vendor, make sure your policy covers this risk.
Gap between sub-limits and excess coverage.
Many cyber policies cover certain types of loss subject to a sub-limit. This can pose a problem if the company has excess coverage sitting on top of the cyber policy, but the "attachment point" of the excess policy is set at the full amount of the underlying policy. For example, if a company has a cyber policy with a $1 million limit overall, with a sub-limit of $50,000 on ransomware-related losses, and an excess policy that says that it pays "ultimate net loss" over $1 million, the company may have a $950,000 gap if the ransomware loss exceeds the $50,000 sub-limit. This is a good reason to push to have all sub-limits for covered loss in the cyber policy set at the full amount of the coverage.
Applications for insurance become "warranties" of business practices.
This is more in the nature of a "gotcha" than a "gap." Most cyber policies require the policyholder to fill out a fairly detailed application that asks about the business practices regarding security and contractual risk transfer. If the policy is placed, this application will usually become an express warranty and incorporated into the policy, requiring the business to maintain these practices or risk losing coverage. Businesses, therefore, need to answer questions in the application carefully and be sure that their ongoing practices keep pace with what they said in the application.
Furthermore, the repercussions of a cyber incident may result in damage to the company’s credibility. In this case, it is important to understand what is and what is not covered. Reputational damage from a data-security incident can be significant, and in some cases devastating, but insurance policies do not provide coverage for this. That said, most cyber policies do provide coverage for public relations expenses due to a breach, to mitigate that reputational harm.
Cyber insurance is becoming a necessity for almost all businesses due to the changing tactics of cyber-criminals, who now often go after mid-size firms that are vulnerable to social engineering fraud and ransomware attacks. The need for this protection is therefore no longer limited to big retailers, hotel chains, or hospitals with lots of credit card of healthcare data. But because the coverage forms are not standardized, getting good advice on which cyber policy to choose is critical. An excellent first step is to look out for the most commonly seen gaps (like those listed above). This list is by no means comprehensive, so for a more thorough review, consider examining your policy with your legal counsel.