While enterprises seek cybersecurity liability insurance to mitigate financial risks associated with digital attacks, it’s not just as easy as filling out an application and paying a reasonable premium. In fact, due to rising cybersecurity liability insurance premiums and fear of being declined on claims, cybersecurity insurance has recently become a hot topic.
When Wim Remes joined information and communications services provider Damovo as CISO, one of the first things he did was cut out their cyber liability insurance. “We didn’t have direct customer requirements to carry it, and our broker raised our policy by a factor of 10,” explains Remes.
At that moment, Remes didn’t have the time to negotiate or search for an alternative broker, so he chose not to renew.
Michael Farnum, chief technology officer at cybersecurity consultancy Set Solutions, says he’s seen customers struggle to find value in having a policy and with the negotiation process. “They want to mitigate their financial risk. But the size of the premiums and complexity of the terms, along with fear of having claims denied, have many companies reconsidering the value of cybersecurity insurance,” Farnum says.
Insurance broker GB&A says the most common reasons firms are denied coverage involve so-called “failure to follow” or negligence exclusions. These exclusions are for companies that fail to responsibly protect their systems or follow procedures outlined in the application process.
Regardless, the use of cybersecurity liability insurance is going to rise. U.S.-based Fitch Ratings says cyber insurance payouts (and premiums) continue to grow and reports that insurance companies are managing to get a handle on their loss ratios (insurer losses by claims paid and expenses divided by premium income).
Further, many third parties, such as customers and business partners, require cybersecurity liability insurance in contracts. Many organizations still want to rely on insurance to mitigate their financial exposure to a data breach or digital disruption. Organizations need to understand what they’re getting into and avoid the pitfalls to get the most out of their cybersecurity liability insurance.
We spoke with several experts, and they warned of the following pitfalls to avoid when seeking cybersecurity liability insurance:
Pitfall #1: The Security Program Needs to be More Mature. Years ago, when it came to cybersecurity liability insurance, if organizations had insurance, it was part of another insurance policy, and the insurers were considerably less rigorous about requirements. “Today, they are much more stringent,” says David Elfering, senior cybersecurity specialist, SVP at insurance broker Marsh. “They want to know if you’ve had any previous incidents. And they want to know how secure your company is. Most insurers will want to conduct a pre-audit and ensure processes and security controls are in place and followed,” says Elfering.
The requirements are rigorous. Marsh, for instance, has 12 cybersecurity controls they want to see in place. These include multifactor authentication, email filtering, web security, verifiably secured/encrypted backups, privilege access management, endpoint detection, vulnerability management, incident response, awareness training, hardened systems, effective logging and monitoring, secure end-of-life processes, and vendor/digital supply chain risk management.
Pitfall #2: Underestimating the Scope of Coverage. Companies often purchase insurance policies that do not adequately cover the full extent of their cybersecurity risks. This leads to gaps in protection.
“When looking at what areas you want to be covered and how much you want to be covered, it’s best to look toward where you already spend your security budget and your efforts in your security program,” Farnum advises. “What data and systems does your security program focus the most on protecting? If you conduct a penetration test, what systems are likely the focus? This will give you a good indication of what needs to be insured,” he says.
Pitfall #3: Not Involving the Right People in the Process. Companies may make decisions about purchasing cybersecurity insurance without involving vital internal stakeholders. “You must understand your systems and data to understand your risk fully,” says Elfering. “And to understand the related business risk and financial exposure, you need to have business leadership involved to help make that determination,” he adds.
That means representatives from the IT department, business leadership, legal counsel, the CISO’s office, and risk management, if applicable, should all be involved.
Pitfall #4: Failing to Understand Policy Terms and Conditions. Companies may not fully understand the terms and conditions of the insurance policy, including any exclusions or limitations.
When evaluating a cybersecurity liability policy, companies should carefully assess several key terms and conditions:
Coverage: The policy should clearly state the types of covered losses and damages. These include coverage for first-party (direct losses to the company) and third-party (losses to customers, vendors, etc.) coverage.
Limits: The policy should specify the maximum amount of coverage available for each type of loss and any sub-limits or deductibles that apply.
Exclusions: The policy should list any specific events or types of damages that are not covered, such as losses resulting from intentional acts, war or terrorism, or pre-existing conditions.
While experts say those are all critical, so are many other conditions, such as notification requirements within the policy and incident response services the insurance will provide following an incident, such as forensic investigation, legal support, credit monitoring, and possibly others.
Elfering warns that organizations that don’t carefully look over their exclusions may find they aren’t covered to the level they think they are when a security incident occurs. “You think you have a $3 million policy, but when a specific event occurs, you find out you’re only covered for $200,000 for that type of event. You want to review these conditions carefully,” he says.
Pitfall #5: Focusing Solely on Cost. Companies may prioritize cost savings over the quality of coverage, which could lead to inadequate protection.
When all the costs of a data breach or cybersecurity incident are tallied, it often reaches the six figures. That includes breach response and investigation, breach notification to customers/partners/regulators, the cost of any lost business, legal fees, and fines.
Those potential costs are why the goal shouldn’t be to get the cheapest policy. The goal should be to get the right policy at the right price. “If you’re going to buy insurance, you want to ensure you have enough coverage for the risks to your business. If you’re an e-commerce operation, look at the potential costs of a breach associated with that business area. While a manufacturer would want to pay careful attention to anything involved in production.
Other factors that determine the level of adequate cybersecurity insurance include the value of their technology assets, the business value they produce, the type and quantity of data managed and stored, the specific industry, and regulatory compliance mandates.
Pitfall #6: Not Keeping Up with Changing Risks. The cybersecurity landscape is constantly evolving, and companies must keep pace with these changes by regularly reviewing and updating their insurance coverage. As business conditions change, and technology changes, it’s essential that cybersecurity policy changes. As company revenue grows, what was good coverage three years ago may not suffice anymore.
“You can’t just keep the policy on the shelf. Technology changes, business risks change, the scope of coverage changes, and attackers change how and what they target,” says Farnum. “It’s not like car insurance where you can often decide coverage and cost and essentially coast on that policy throughout the life of the car,” he says.
Pitfall #7: Not Conducting Proper Due Diligence. Companies may not thoroughly research and evaluate insurance providers before deciding, which could lead to signing an inferior policy.
When looking for a broker, the experts we interviewed advised organizations to seek a cybersecurity liability insurance broker with specific expertise in cybersecurity insurance, a good reputation in cybersecurity insurance, and one that works with a wide range of insurance carriers. Be sure to understand their fees and commission structure.
An excellent place to check for such brokers is among existing trusted advisors, peer CISOs, and others knowledgeable who you know. “There aren’t many good cybersecurity insurance brokers out there,” laments Remes. But that’s not dissuading him for when he’s ready to carry a new policy. “I will probably go back to the market in a few months after I’ve cleaned house and have a clear roadmap to present in the hopes of having reasonable negotiations.”
George V. Hulme is an award-winning journalist and internationally recognized information security and business technology writer. He has covered business, technology, and IT security topics for more than 20 years. His work has appeared in CSOOnline, ComputerWorld, InformationWeek, Security Boulevard, and dozens of other technology publications. He is also a founding editor at DevOps.com.