
Cyber Insurance: Beware of the Fine Print


Seth Berman, Partner, Nutter
As the frequency of data breaches continues to skyrocket, the cyber insurance market has exploded too. Indeed, cyber insurance is now as important to a company’s cyber defence strategy as firewalls, strong passwords, and well-thought-out incident response plans. However, buying cyber insurance is not nearly as simple as buying other types of corporate insurance policies. The cyber insurance market is too new and too varied for there to be a set of clearly defined terms and expectations around what is covered and what is excluded from policies.
Buying cyber insurance is not nearly as simple as buying other types of corporate insurance policies
Meanwhile, the cost of breaches continues to soar. Cybersecurity Ventures predicts cybercrime damages will cost $6 trillion annually by 2021. The insurance market is both intrigued by and wary of this risk. On one hand, insurers see cyber insurance as a growth market and have started offering many different types of cyber insurance coverage. On the other hand, insurers are worried that losses could quickly multiply and therefore have been taking steps to limit their exposure to cyber risks. For example, cyber risks have been excluded from most general insurance policies. Companies must now purchase either standalone cyber insurance or a cyber insurance rider to their general liability policies.
Coverage under these cyber insurance policies are not standardized, meaning different policies cover or exclude different kinds of events. Because the track record of cyber insurance policies is quite short, many issues of interpretation have not yet been definitively settled. As a consequence, breaches often result in disputes between the insured and their insurer regarding whether an incident is covered by a particular policy. This problem is made harder to address in advance by the fact that hackers are continually evolving new ways to penetrate networks and monetize the information they find, which means that many types of attacks had been unknown at the time the policy that might cover them was drafted.Ashley Paquin, Associate, Nutter
The perils of insurance policies are perfectly illustrated by a recent lawsuit. The National Bank of Blacksburg in Virginia recently filed a lawsuit against its insurer relating to two data cyber security incidents that happened in 2016 and 2017. The two data breaches (apparently by the same set of hackers) allowed the hackers to access the bank’s systems and remove critical security measures from customer accounts. The 2017 data breach also allowed the hackers to change customer balances. Once these accounts were altered, the hackers withdrew money in customer accounts from ATM machines. The fraudulent ATM transactions could not have occurred without the hacking, as the hackers disabled the daily withdrawal limits and obscured the evidence of the fraud, controls that otherwise would have significantly limited the amount of money that could be stolen.
When the bank learned about the attack, it sought to recover the $2.5 million in losses from its insurer an amount that was well within the bank’s $8 million policy limit. The insurer did not pay the claim. Instead, it offered only $50,000, on the grounds that the cyber insurance policy excluded losses resulting from the use of credit, debit, or other cards to obtain funds. Since these cards were used as a part of the criminal scheme, the insurer reasoned that the bank’s separate Debit Card Rider applied, but that coverage was capped at $50,000, an amount that would likely have been below the bank’s withdrawal limits – the withdrawal limits that the hackers had disabled. Inevitably, the bank has now sued the insurance company. The courts will decide whether the hacking and ATM card fraud is a cyber-attack or loss resulting from debit card use.
Regardless of how the National Bank of Blacksburg case turns out, all consumers of cyber insurance should learn an important lesson: carefully verify whether cyber insurance covers the types of risks that your company may face and ensure that any limits on recovery are consistent with possible damages. Although some insurance coverage is better than none, insurance is very much defined by the fine print.
See Also: Top Insurance Technology Companies
ON THE DECK
Featured Vendors
Adirondack Information Security LLC: Effective and Affordable Cybersecurity Consulting For All Businesses
LBMC Information Security: Fortifying Your Data with Real-Time Monitoring and Dedicated Professionals
EDITOR'S PICK
Essential Technology Elements Necessary To Enable...
By Leni Kaufman, VP & CIO, Newport News Shipbuilding
Comparative Data Among Physician Peers
By George Evans, CIO, Singing River Health System
Monitoring Technologies Without Human Intervention
By John Kamin, EVP and CIO, Old National Bancorp
Unlocking the Value of Connected Cars
By Elliot Garbus, VP-IoT Solutions Group & GM-Automotive...
Digital Innovation Giving Rise to New Capabilities
By Gregory Morrison, SVP & CIO, Cox Enterprises
Staying Connected to Organizational Priorities is Vital...
By Alberto Ruocco, CIO, American Electric Power
Comprehensible Distribution of Training and Information...
By Sam Lamonica, CIO & VP Information Systems, Rosendin...
The Current Focus is On Comprehensive Solutions
By Sergey Cherkasov, CIO, PhosAgro
Big Data Analytics and Its Impact on the Supply Chain
By Pascal Becotte, MD-Global Supply Chain Practice for the...
Technology's Impact on Field Services
By Stephen Caulfield, Executive Director, Global Field...
Carmax, the Automobile Business with IT at the Core
By Shamim Mohammad, SVP & CIO, CarMax
The CIO's role in rethinking the scope of EPM for...
By Ronald Seymore, Managing Director, Enterprise Performance...
Driving Insurance Agent Productivity with Mobile and Big...
By Brad Bodell, SVP and CIO, CNO Financial Group, Inc.
Transformative Impact On The IT Landscape
By Jim Whitehurst, CEO, Red Hat
Get Ready for an IT Renaissance: Brought to You by Big...
By Clark Golestani, EVP and CIO, Merck
Four Initiatives Driving ECM Innovation
By Scott Craig, Vice President of Product Marketing, Lexmark...
Technology to Leverage and Enable
By Dave Kipe, SVP, Global Operations, Scholastic Inc.
By Meerah Rajavel, CIO, Forcepoint
AI is the New UI-AI + UX + DesignOps
By Amit Bahree, Executive, Global Technology and Innovation,...
Evolving Role of the CIO - Enabling Business Execution...
By Greg Tacchetti, CIO, State Auto Insurance
Read Also
Why Every CISO Should Develop a Secure Software Supply Chain?
Are Your Value Props Still Relevant in the Changing Market?
Building and Maintaining a Risk Averse Security Program
The Race to Digitize the Insurance Industry
FinTech Down, "But Not Out"
The Softer Side of Directing Digital Transformation
