Partner Perspectives  Connecting marketers to our tech communities.
SPONSORED BY
6/15/2017
11:00 AM
Sara Boddy
Sara Boddy
Partner Perspectives
Connect Directly
Twitter
LinkedIn
RSS
50%
50%

Cyber Insurance: Read the Fine Print!

Applying for insurance is a grueling process involving detailed questionnaires and lengthy technical interviews that can still leave you without an adequate safety net.

Raymond Pompon also contributed to this article.

Those of us with experience in IT security know there are some risks we just can’t mitigate. In such cases, many of us seek out risk transference through cyber insurance. But, some of us had a rude awakening when we found out that the coverage we’ve spent tens of thousands (or even millions) of dollars a year on fails to honor our claim.

This is exactly what happened with Ameriforge Group, a victim of an email scam in which a company’s chief executive was impersonated. The losses to Ameriforge were worth nearly half a million dollars. But the insurance carrier claimed the company’s coverage was for forgery of financial instruments, not fraudulent emails that executives were tricked into following.

This story is not an aberration. For the past year, F5 lab researchers have heard many CISOs complain that cyber insurance isn’t to be trusted at face value. One prominent CISO, who chose to remain anonymous, flat out told us, "Cyber insurance is B.S.," adding, "No one will actually cover claims. It gives you a false sense of control."

Although every CISO might not believe the situation is quite that dire, the number of of corporate attorneys who understand the nuances of cyber insurance are few. Without qualified legal help, you can easily find yourself without a safety net when you need it most.

Coverage Gaps
What kind of coverage gaps are people seeing? One of the most obvious is the base deductible. Some policies vary the deductible amount based on the type of loss, and some losses aren’t covered unless they exceed $500,000. In other cases, organizations wrongly think their standard business loss insurance covers cyber loss. In a 2013 case, a hacked company was denied payment because its policy applied to property damage—and electronic data wasn’t considered "tangible property."

There are subtler forms of coverage gaps, as well. In the world of business loss and the law, there are different classes of damages, depending on when and how they occur. In a 2016 case, a restaurant chain’s cyber insurance covered direct damages of a data breach, but left the restaurant high and dry for millions of dollars in fees and assessments associated with fraudulent credit card chargebacks.

The savvy CISO should do a detailed impact analysis for all major threat scenarios before shopping for cyber insurance. The list of possible impacts can include:

  • Direct monetary losses from electronic theft, phishing, email scam, or other types of cybercrime.
  • Losses due to cyber extortion, such as DDoS blackmail or ransomware.
  • Losses related to mitigating and investigating an incident, including computer forensics and consultants.
  • Losses due to downtime, which includes customer revenue, worker productivity, and increased operational costs.
  • Loss or damage to data or software, including costs associated with replacing, patching, recreating, or restoring things to the way they were before the incident.
  • Expenses associated with remediation activities, such as new control purchases, application design enhancements, monitoring, supporting staff, etc.
  • Expenses associated with customer breach notification, including public relations, legal consultation, postage fees, and telephone support.
  • Expenses associated with customer compensation because of the incident, including credit monitoring, service level agreement penalties, refunds, and contractual violations.
  •  Expenses related to liability exposures due to the incident, such as investigator fees, legal defense costs, and civil court damage costs.
  • Expenses due to third-party liability exposures, including loss or corruption of third-party data or service.

Disqualifiers
Sometimes cyber insurance claims are denied because an organization disqualified itself. A hospital group’s claim for losses associated with a privacy breach was turned down because its systems were not properly patched. The hospital group had claimed on its application form to be performing many standard secure practices, but those practices had lapsed. This was sufficient reason for the insurer to deny payment.

Applying for insurance can sometimes be a grueling process involving detailed questionnaires and lengthy technical interviews. During this time, organizational responses must be complete and honest, otherwise the viability of the insurance contract could be annulled.

This is a significant risk in cyber insurance because many IT security practices are not 100% perfect, and occasionally there are operational lapses.  One cyber insurance company rejected a claim because a user fell for a phishing attack. The insurance company ruled that the access was "authorized," even though the victim was tricked into giving the authorization.

CISOs should know all the possible impacts and costs of a breach and match them to their cyber insurance policies. Having legal help from someone with deep expertise in this area is a prudent investment before purchasing. Whatever cyber insurance policies you purchase, make sure to read the fine print very carefully rather than assuming a policy provides the right coverage.

Get the latest application threat intelligence from F5 Labs.

 

Sara Boddy currently leads F5 Labs, F5 Networks' threat intelligence reporting division. She came to F5 from Demand Media where she was the Vice President of Information Security and Business Intelligence. Sara ran the security team at Demand Media for 6 years, covering all ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
mcavanaugh1
100%
0%
mcavanaugh1,
User Rank: Apprentice
6/20/2017 | 1:12:18 PM
Cyber Insurance
While I understand the intent of the article, the majority of the information is only part of the picture. First, many of these suits and declinations of coverage were filed under insurance policies that were never intended to cover these exposures specifically Crime & Commercial General Liability insurance policies.  The expectation that a CGL policy designed to cover bodily injury and property damage should also cover these types of exposures is ridiculous. It would be similar to filing a claim for an auto accident under your homeowner's insurance policy.  

Second, the examples of social engineering, phishing and the lack of coverage should fall more on the insurance agent or broker that placed the coverage. While this coverage may not have been available in January of 2016 (Krebs Article), September of 2015 (BitPay), June of 2016 (PF Changs), and August of 2013 (Schnucks) they are currently available in the marketplace and have been for quite some time.  This coverage is readily available from several insurance companies on a cyber liability insurance policy for most industries although the insurance agent may have to request the coverage to specifically be added. The truth is that a correctly written cyber liability insurance policy can respond to everything that was mentioned in the 10 bullet points outlined in the article.  Also, many carriers are writing comprehensive policies that will cover everything with a minimum premium of $1,000 (less for some industries) with a deductible of $1,000 to start.  This can include the cyber-crime coverage needed in two of the examples (Krebs & BitPay) linked to in the article.  

I definitely agree that a company contemplating purchasing a policy should read the fine print; however, the first step should be finding an insurance agent or broker that understands the coverage. A cyber liability insurance policy should complement the risk management measures in place with the mindset of viewing the policy as a service. Many carriers will provide risk management services to a policyholder before and after an event with the goal of making their policyholder more secure.
20 Questions to Ask Yourself before Giving a Security Conference Talk
Joshua Goldfarb, Co-founder & Chief Product Officer, IDDRA,  10/16/2017
Printers: The Weak Link in Enterprise Security
Kelly Sheridan, Associate Editor, Dark Reading,  10/16/2017
Hyatt Hit With Another Credit Card Breach
Dark Reading Staff 10/13/2017
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
F5 makes apps go-faster, smarter, and safer. With solutions for the cloud and the data center, F5 technology provides unparalleled visibility and control, allowing customers to secure their users, applications, and data. For more information, visit www.f5.com.
Featured Writers
White Papers
Video
Cartoon Contest
Current Issue
Security Vulnerabilities: The Next Wave
Just when you thought it was safe, researchers have unveiled a new round of IT security flaws. Is your enterprise ready?
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.