While cyber threats grow and the cyber insurance market evolves, insurers are regularly adjusting their policy terms and conditions in response to new threats and exposure.
Carriers have amassed nearly a decade’s worth of data and are getting more stringent about underwriting and demanding that policyholders do their share by implementing best practices aimed at preventing cyber attacks and reducing their impacts.
They have also been adding more exclusions to policies, according to a new report by Delinea. The report is a sobering reminder that business owners need to carefully read their policies. The access-management software firm notes that:
- All respondents to its survey had at least one exclusion in their policy that would void coverage.
- All respondents had at least one attack-related expense that wouldn’t be paid for by cyber insurance.
- Businesses should create a “rainy day” fund to pay for situations that won’t be covered by their cyber insurance. The report notes that the average cost of a data breach in 2023 exceeds $4 million.
Exclusions to watch out for
Obviously, the crucial question is: What are the most common exclusions in cyber insurance policies?
Missing security protocols — Insurers require businesses to have certain security protocols in place, such as keeping software and systems updated with the latest versions and security patches, regularly training staff on cyber security and using certain security controls.
Internal threats — Acts by employees, like hacking, cyber extortion, data theft and other illegal or unauthorized activities, are typically excluded.
Human error — If an incident is caused or worsened by a mistake, like misconfiguring or failing to address known vulnerabilities, a cyber claim may be denied as the insurer could argue that the event could have been prevented or mitigated.
Act of war or terrorism — While many cyber insurance policies have these exclusions, courts have increasingly pushed back on them as a pretext for denying a claim after a cyber attack. Often it’s difficult for the carrier to prove it was an act of terrorism or war.
Out of compliance — Misrepresentations or nondisclosure of material information on a cyber insurance application may cause the insurer to deny coverage.
Failure to report an event in a timely fashion — If you fail to inform your cyber insurer of an event within the timeframe specified in the policy, or if you provide incomplete information, the company may deny the claim.
The takeaway
If your firm is hit by a cyber attack, you’ll be doing most of the heavy lifting and you’ll be dealt many expenses to get back to normal.
Respondents to the Delinea poll said that their cyber insurance policies were most likely to cover expenses related to data recovery, although insurers’ definition of that term vary depending on the circumstances.
“For example, say an attacker is holding your data for ransom. Some insurance companies may say they want to make the decision whether to pay the ransom to recover your data (regardless of your preference),” the report states.
The key is to understand your policy’s coverage and have protocols in place to reduce the chances of an excluded event taking place.
