Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


01:00 PM
Connect Directly
E-Mail vvv

A Lawyer’s Guide to Cyber Insurance: 4 Basic Tips

The time to read the fine print in your cybersecurity insurance policy is before you sign on the dotted line.

These days, it seems that everyone has heard a cyber insurance horror story: a catastrophic cyber event followed by a swift denial of cyber insurance coverage. At a time when all companies are beginning to think in terms of cyber resilience, cyber insurance is an important part of any company's cyber preparedness. As outside counsel, I've spent significant time reviewing cyber policies. Below are my top tips to consider when looking at your cyber insurance coverage. 

Tip 1. If you don't know whether you have cyber insurance, you likely do not have it.
Why? Because cybersecurity events are a common exclusion across general liability policies and require their own standalone policy. Worse, not all policies are created equal and the cyber insurance industry is like the Wild West: Because of its relative newness, policies are not standard. So, while your directors and officers policy (D&O) may look basically the same as the insurance company's down the street, that is likely not the same for cyber coverage. Thus, it is important to carefully review your cyber insurance options and not just lock in whatever an insurance broker is selling as premium coverage.

Tip 2. Read the actual policy, not just the summary of coverage.
Cyber insurance coverage can diverge drastically from insurance provider to insurance provider, so it is incredibly important to review the actual insurance policy. Some of you may be rolling your eyes at this basic suggestion but you'd be surprised how often I've seen a client provided with a summary of coverage without a copy of the actual underlying policy and think that may be all that they need. Why does this matter? Because inevitably there will be terms that govern the policy that are legally defined terms in the policy itself. So, if a dispute arises as to whether an event is covered in an insurance policy, a court is going to look at the four corners of the actual insurance policy and will not likely consider evidence of what you were told at the time you bought the policy. An insurance policy is a contract between you and the insurance company. And, just like a breach of contract action, if there is a dispute later, a court will look to the written agreement between the parties. Therefore, the time to read the policy is now — not during an event.

Often, I see a summary of coverage that lists a "social engineering exclusion." These social engineering exclusions can encompass phishing and sometimes even ransomware. But if you only have the summary of coverage without the related definitions, you won't know what may or may not be covered.

It's also important that your CISO, or someone in your organization with cybersecurity intelligence, reviews the cyber insurance policy, which typically incudes technical language and definitions. For example, I recently read a policy that only provided coverage for a claim made by someone for incidents that rose to the level of "technology wrongful act" and "privacy and security wrongful act." But when you read the policy, technology wrongful act covered only the hosting of data. The coverage for "privacy and security wrongful act" covered what the policy described as "the failure to prevent a breach that resulted in the inability of the user to gain access to a network, malicious deletion of data on the network, and transmission of malware to third parties." Notably missing from this definition was the concept of a financial loss related to social engineering, phishing, ransomware, or wire transfer fraud.

Tip 3. Exclusions can be brutal.
Cyber-risk translates into big dollar risk and insurance companies recognize this. Phishing and ransomware can both be common exclusions along with business email compromise events. Wire transfer fraud is often not covered. Because of this, it is important to look at your policy to determine what it really and truly covers. I once had a CEO ask if their policy only covered someone breaking in and stealing a server rack. Unfortunately, in that instance, the answer was "basically."

I have also started to see policies that contain a summary of coverage page that lists out a set sum for coverages (for instance, a chart that shows $5 million worth of first-party coverage to protect the company being insured). Then, hidden deep in the policy is the actual sublimits and exclusions. In one egregious review, the social engineering sublimit of $100,000 was buried on page 54 of a 66-page PDF. It also contained a $50,000 "retention" or, essentially, deductible, to be paid out of pocket by the company before coverage is triggered. If the client had only the summary coverage provided by the broker, they would have thought they had $5 million in cyber coverage because the exclusion was not listed front and center but was instead hidden deep in the PDF.

Knowing that exclusions exist as a common part of cyber insurance, it is important to ask your broker for several cyber insurance policies to compare at the time of binding coverage. Look at your business operations and determine what coverage you need. Is your organization a software company? Managed service provider? Brick and mortar with a lot of employees? A public utility or a financial institution? Hospital? Tailor your cyber insurance to your business and be aware that the typical broker may be fantastic at selling D&O coverage but is not a cyber insurance guru. No matter your industry or business model, having a cybersecurity lawyer help navigate the insurance coverage matrix and negotiate coverage.

4. Negotiate before, not after a breach
You can always try to negotiate better coverage. At minimum, ask for lower retentions and higher sublimits.

If you have a favorite forensic team, ask that members be included as your chosen provider in the event of a breach. Often, insurance companies provide "panel" counsel and "panel" forensics teams. I have seen fantastic firms listed as panel counsel in the marketing materials provided to a client. Then, when the breach hits, they are assigned counsel not from the elite Manhattan firm but from somewhere else.

You can also ask for your chosen team to be included when you "bind" coverage. As part of the insurance application process, make a specific request for the people you know and trust. Then, when the worst hits, you know you have your A team at your back versus a crew arriving from out of your market.

Related Content:


Black Hat USA returns to Las Vegas with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the conference and to register.

Beth Burgin Waller is a lawyer who knows how to navigate between the server room and the board room. As chair of the cybersecurity & data privacy practice at Woods Rogers, she advises clients on cybersecurity and on data privacy concerns. In this capacity, she ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Threaded  |  Newest First  |  Oldest First
User Rank: Ninja
7/15/2019 | 9:49:29 AM
Monetary protection only
Does not PREVENT or REMEDIATE a breach!!!   This is for the accounting department - gee, 14 million records stolen and personal data exposed BUT the firm can survive the financial loss!!!  WE HAVE INSURANCE.  Oh, that is a signal for the Lawyers to file lawsuits - why? THE CASH IS THERE.   But it does nothing to prevent or take action during or after a breach.  Does it??? 
User Rank: Strategist
7/16/2019 | 8:12:38 AM
Re: Monetary protection only
No, not all Cyber Insurance policies are limited to monetary protection.  Many carriers providing standalone Cyber Insurance policies provide Pre-breach Risk Management services including policies & procedure templates, pre-beach consulting, and training to ultimately provide education to companies.  Some will also provide active monitoring, vulnerability scans (limited in nature), phishing training for employees, table top exercises, and hardware/software to help protect the insured company's network.  These can all be provided to an insured company for no additional cost.

The marketplace is adapting to include post-breach remediation as well.  Some carriers will extend consulting services to provide recommendations and others will pay to remediate any issues to avoid breaches going forward.  This can include replacing hardware, upgrading systems or simply rolling out patches depending on the consultant's findings.

There is a lot of misinformation out there lately with Insurance companies denying coverage under a Cyber Insurance policy.  The most recent is the War Exclusion issues.  In the case of Mondelez the articles/stories rarely explain that Mondelez did not have a Cyber Insurance policy but rather they were trying to file a Cyber claim under a Property policy not designed to cover that exposure. 

Your best bet to get covered is to work with an agent/broker that knows the coverage and works with Insurance Companies that have been in the marketplace for long enough that they have handled many many claims and offer a comprehensive policy with risk management services. Premiums for these policies can be as low as a $500-$700 inclusive of the coverage & services.
User Rank: Ninja
7/16/2019 | 8:32:05 AM
Re: Monetary protection only
Point taken and it would be wise for insurance companies to provide these services and also make sure their suggestions ARE being carriesd out !!!   Periodic review would be mandatory.  
COVID-19: Latest Security News & Commentary
Dark Reading Staff 10/30/2020
'Act of War' Clause Could Nix Cyber Insurance Payouts
Robert Lemos, Contributing Writer,  10/29/2020
6 Ways Passwords Fail Basic Security Tests
Curtis Franklin Jr., Senior Editor at Dark Reading,  10/28/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
How to Measure and Reduce Cybersecurity Risk in Your Organization
In this Tech Digest, we examine the difficult practice of measuring cyber-risk that has long been an elusive target for enterprises. Download it today!
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-10-29
Algorithm downgrade vulnerability in QuickConnect in Synology DiskStation Manager (DSM) before 6.2.3-25426-2 allows man-in-the-middle attackers to spoof servers and obtain sensitive information via unspecified vectors.
PUBLISHED: 2020-10-29
Algorithm downgrade vulnerability in QuickConnect in Synology Router Manager (SRM) before 1.2.4-8081 allows man-in-the-middle attackers to spoof servers and obtain sensitive information via unspecified vectors.
PUBLISHED: 2020-10-29
Improper access control vulnerability in lbd in Synology Router Manager (SRM) before 1.2.4-8081 allows remote attackers to execute arbitrary commands via port (1) 7786/tcp or (2) 7787/tcp.
PUBLISHED: 2020-10-29
Improper access control vulnerability in Synology Router Manager (SRM) before 1.2.4-8081 allows remote attackers to access restricted resources via inbound QuickConnect traffic.
PUBLISHED: 2020-10-29
Cleartext transmission of sensitive information vulnerability in DDNS in Synology DiskStation Manager (DSM) before 6.2.3-25426-2 allows man-in-the-middle attackers to eavesdrop authentication information of DNSExit via unspecified vectors.