What your business needs to know about cyber insurance changes

There's a major disconnect that could result in insufficient cyber coverage or rejected cyber claims. Commercial insurance coverage is usually purchased/renewed by the CFO, Business Manager, or owner of the business - not someone in IT who understands the actual cyber risk and what controls are/are not in place to protect data.

Example #1 - Exclusions: Your business already has cyber insurance, so you believe you are protected, but your IT staff or outside firm handling your IT has never seen the policy wording, so no one is aware of an exclusion that states that any vulnerability recognized in the Common Vulnerability and Exposure (CVE) database with a score greater than 8.0 must be patched within 14 days of issue. You only have patching for Windows updates and miss an Adobe vulnerability, which leads to a data breach, and your insurer rejects the claim. Other exclusions can include legacy hardware and software and even "zero day" vulnerability exclusions for those threats that no one knows exist until they hit.

Example #2 Sub-limits: The business owner has a commercial policy of $5M coverage and feels protected. The company is hit by a ransomware attack, and the owner contacts the insurer to get help with determining if any data was accessed, recovering systems and getting back to business. The broker points out a sub-limit of $10,000 coverage for ransomware, which is all the company can collect despite costs of over $60,000 for investigation and clean-up.

Example #3 "Reasonable protection requirement": The business owner receives a questionnaire to renew cyber coverage and gets help from the IT team to fill in the responses. IT confirms that the data backups are tested, multi-factor authentication (MFA) is in place for remote users, and the business does not make large wire transfers. Although the policy increased in cost by 40%, the owner is relieved to maintain the coverage. No one read the fine print in the actual policy that states that "reasonable controls" must be in place and that the business must meet requirements to protect data. The company does not realize that they have state data protection requirements and that by not aligning their security to a recognized cyber framework, they are leaving the door open for the insurer to reject a significant claim if they have a breach.

Recommendations:

1) Talk to a broker who specializes in cyber and can help you align your risk areas with coverage that isn't full of sub-limits and exclusions. Don't rely on the insurance agent that you've had for 20 years to be able to explain the nuances of a cyber policy!

2) Involve IT in discussion with the broker. IT will understand the risks better than the executive team and can also discuss additional controls that can be put in place.

3) Align to a recognized cyber framework. Taking this step can help identify gaps in your protection and address them to prevent an incident. No measures are 100% effective, but alignment is your best defense that you did what was "reasonable" to protect data.