Whenever it comes to cyber safety and security, businesses have expressed worry about being victims of both a cyber breach and a denial of a cyber insurance claim. They first have a security breach that causes major damage, and then they realize their insurance coverage will not cover them. We look at some of the most prominent situations and places where carriers are refusing coverage (or are projected to reduce coverage) and how to avoid them, from hidden wording to sub-limits.
MAINTENANCE FAILURE:
Some carriers include a particular exclusion in their policy wording that prevents coverage for claims stemming from the insured’s failure to maintain minimum/adequate security requirements. This exclusion is sometimes referred to as the negligence or “failure to follow” exclusion. And they’ve sparked as much debate as they’ve caused confusion, which is why several carriers have subsequently dropped such terminology. While it may not raise any immediate concerns for the ordinary broker or buyer (since it seems to be a warranty statement), it is a risky exclusion. Here’s a sample of the wording used in exclusionary clauses:
“Failure to guarantee that the computer system is adequately safeguarded by security practices and system maintenance procedures equivalent to or greater than those described in the proposal”
As a result, organizations and their directors should carefully check the cyber insurance terms and exclusions to verify that the form does not include any provisions or phrasing requiring the insured to adhere to a specific level of cyber security measures. Additionally, firms should collaborate closely with their CISOs, IT departments, and information security teams to verify the truth of all representations made in the application.
PCI Penalties AND ASSESSMENTS:
Another area where cyber Insurance seem to be refusing coverage is PCI-related fines and assessments. While the PF Chang case is one of the most well-known cases, it is far from the only disagreement regarding fine coverage. To recap the case, the insurer paid around $2 million in damages after a breach that exposed consumers’ credit cards but refused payment of another $2 million in PCI assessments due to policy wording issues. Through different policy terms, insurers may restrict or limit coverage for such evaluations. Specific exclusions for PCI or self-regulatory penalties, as well as contractual responsibility exclusions, are the two most troublesome exclusions (as was relied upon in the PF Chang case). Some plans have exclusions for viruses or self-propagating code, which might make PCI coverage unavailable.
CYBER EXTORTION & RANSOMWARE:
Following a string of data breaches, ransomware has become a hot issue. Extortion needs have remained modest, as WannaCry revealed, despite a predicted rise shortly. However, since the majority of the losses come in the form of lost revenue and asset restoration, it’s all too easy to underestimate the extent of the harm that a ransomware assault may do. The widely reported Alfonso Moses case eloquently demonstrates the gap between the extortion demand and the long-term loss of revenue. Following a ransomware assault that demanded a 25k ransom, the cyber carrier in issue eventually agreed to compensate the legal company for 20k (the policy’s sub-limit), although the firm claimed it had incurred 700k in losses due to missed revenue. While it’s unclear if the policy’s terms covered lost income as a consequence of cyber extortion, the policy’s limitations would seem to have been inadequate nonetheless, highlighting the need of assessing the breadth of coverage.
PRE-BREACH LAWSUITS:
The Kimpton Hotels case proved that a cyber breach-related lawsuit may be filed before real “data-misuse” generated losses, but the Johnson Bell case takes it a step further by becoming the first to be filed even if there has been no actual breach. While preemptive regulatory inspections/investigations are pretty generally known, the notion of a lawsuit in the absence of an actual violation is a little more difficult to fathom. To summarize, a class action lawsuit was filed against the law firm after one of its clients discovered security holes, alleging malpractice and negligence (among other things) as a result of security flaws and failure to properly secure its client’s data, which “exposed the plaintiffs to an increased risk of injuries.” The legal company was accused of using out-of-date software that was known to be exploitable, as well as a VPN and email system that was prone to assaults, among other security flaws. However, it’s worth repeating that there was no real penetration, data disclosure, or data abuse — implying that there were no losses.
SOCIAL ENGINEERING SCHEMES:
Social engineering schemes have been slowly gaining in popularity, and they may be used in a variety of methods, including through phished email credentials, phone or letterhead, or cyber thieves directly manipulating bank account information. While policy wording is still evolving to better address computer fraud and social engineering losses, many insurance firms have many escape points via which carriers might refuse coverage. Without going into detail about each case, here is a sample of some of the possible escape points that carriers have relied on, as well as the instances in which each was cited:
The company’s own security safeguards were eventually overridden, resulting in the fraudulent transfer (State Bank) Funds were willingly transferred or by natural individuals with authorisation to access the company’s computer system (Acqua Star & Medidata)
The fraudulent transfer request was made via the phone rather than “straight from a computer” (Apache Corp)
The losses suffered were not “direct” losses to the insured, but rather losses to the money of the customers. The rules also stipulated that the fraudulent transfer be initiated by “unauthorized insertion of instructions that propagated themselves,” as pointed out by Blaney’s Fidelity Blog. Taylor and Lieberman (Taylor & Lieberman)
Instead of depending on a computer fraud/forgery ensuring provision, the first step in obtaining coverage for such claims is to ensure that any cyber Insurance or crime policy includes an acceptable social engineering endorsement. It’s also a good idea to take a close look at the social engineering clause, since endorsements might vary a lot.
