Faced with the growing threat of hacks and data breaches, more and more businesses are looking toward cyber liability insurance to protect themselves. Being proactive about cybercrime is a good thing. Unfortunately, many cyber insurance policies have gaps in coverage that can leave your business vulnerable.
The cyber security field is exploding in popularity, but it is still a young field, and cyber insurance is equally immature. There’s little standard language for defining coverage, and every policy is a little different in terms of what’s included and what’s not. Businesses need to be careful to read the fine print.
What’s Typically Included?
- Forensics: after an incident, a forensic investigation is needed to find out what happened, the extent of the damage and how to prevent the same thing from happening again. Many policies will reimburse these costs.
- Business losses: policies may cover the costs for recovering lost data, repairing computer systems, business interruption and even repairing reputation damage. Check for restrictions, though. For example, your network may need to be down for more than 8 hours before business interruption coverage would apply.
- Notification: you are legally required to notify your customers If you have a data breach that involves customer credit card numbers, medical records, etc. You may also need to offer credit-monitoring services.
- Legal expenses: Many policies will also cover your legal fees and expenses, including defense fees and settlements if someone sues you due to a data breach.
Critical Loopholes You Should Know About:
Phishing
Phishing is one of the most common forms of cyber attacks. Phishing is when you receive an email that looks like it’s from someone you can trust, but it tricks you into giving away personal information or transferring money to a malicious sender. Some cyber insurance companies are denying coverage for these attacks, claiming that you authorized the action.
The case of Aqua Star (USA) Corp. v. Travelers Casualty & Surety Co. of America is an example of this exact problem. An employee was a victim of a phishing attack, but the insurance company is denying coverage based on the argument that the employee voluntarily transferred money to the fraudulent account.
The best defense is for you and your employees to be vigilant about suspicious links and emails. Second, make sure that your IT provider is backing up your data and has a disaster recovery plan in place. If you do fall victim to attack, you want to know your systems and data are secure, because your insurance policy may not cover you.
Routine Maintenance
Imagine buying a warranty policy for your car. In order to keep the warranty valid, you have to perform regularly scheduled maintenance. It’s the same way with cyber insurance.
Buried in many policies, you’ll find exceptions to your coverage if you’re not keeping your computers and network patched and up to date. Here’s an example of the exact language found in a cyber policy, which excluded coverage for damages, “arising out of or resulting from the failure to, within a reasonable period of time, install customary software product updates and releases, or apply customary security-related software patches, to computers and other components of computer systems.” In other words, if you’re not responsibly maintaining your systems, your insurance won’t help you.
To combat this, make sure you have a reliable IT provider who is regularly monitoring your system and installing security patches and updates.
Learn more about protecting your network with our free ebook: