Your company might have cyber insurance but, unless you’ve carefully checked this policy, you might be surprised to learn that it does not cover the risks your company faces. Unlike other types of insurance which are fairly standard, cyber insurance is not uniform across carriers. Many polices contain exclusions and carve-outs which are buried in the fine print. Below are some of the questions to ask as you select the cyber policy that is right for your company.
Items Covered. Many companies are surprised to learn that not all costs incurred because of a cyber event are covered by their cyber insurance policy. In particular, you should review your policy to understand whether it covers costs related to:
1. Lawsuits
2. Regulatory investigations
3. Forensic investigations
4. Notifications to affected consumers (mandatory and voluntary)
5. Credit monitoring for affected consumers
6. Statutory and regulatory penalties
7. Data restoration
8. Business interruption costs
9. Public relations
10. Ransom
11. Indemnification of third parties for 1-10
Potential Exclusions. Even when coverage appears broad, buried within your policy could be certain exclusions of which you are not aware. The following are some questions to ask to help avoid that risk:
1. Definition of Covered information: Will coverage apply to all breached proprietary information or only Personally Identifiable Information?
2. Encryption exclusion: Does coverage apply if data is not encrypted?
3. Timing of coverage: Does coverage begin from the date an event occurs or from the date of discovery. It can take months or even years to learn that your network has been infiltrated. If your policy only covers events that occur as of the date of coverage, you’ll need additional coverage to protect you from earlier breaches that you might not have been aware of when you bought your policy.
4. Reasonably Foreseen: Ensure coverage does not exclude events that could have been “reasonably foreseen”.
5. Data outside insured network: Does coverage cover data in the cloud or on third party systems or does it only extend to data on your network?
6. Rogue employees: Does coverage include malicious acts by insiders?
7. Ransomware: Does coverage include cost of denial of service attacks?
8. Criminal Activity/Phishing: Does coverage include loss due to an employee being tricked?
9. Rogue States: Does coverage include state sponsored criminal activity?
10. Third Party Fault: Does coverage include breaches that occur at the vendor level? (i.e. if breach your hosting service is breached but you’ve promised to indemnify)
As cyber threats become more pervasive companies are beginning to realize that cyber insurance is a must. If your company has gotten to that point, there is no reason not to take the additional step of making sure that the policy you purchase gives you the coverage you expect.