10 Things IT Probably Doesnt Know About Cyber Insurance

Understand the benefits and the pitfalls you might miss when evaluating cyber policies.

As more organizations start considering cyber insurance as one component of a fully fleshed-out IT security operations and risk management strategy, increasing numbers of IT executives and security leaders will be called upon to evaluate these policies. While the cyber insurance market
has matured considerably
over the last few years, this process can be daunting for the uninitiated.
Policyholders need to critically review all language in their cyber policies, says Selena Linde, a partner with Perkins Coie LLP who practices insurance law. With no standard ISO form, cyber policies are still the Wild West of insurance policies, and the language offered by the 50-plus carriers in this space changes monthly.
Dark Reading recently caught up with Linde and Jake Kouns of Risk Based Security, a firm that tracks breach and vulnerability information to sell to insurance underwriters. They both offered up salient points that many IT staffers likely have never considered about cyber policies -- both the benefits and the gotchas that might not always be apparent on first review.
Cyber insurance policies arent magic
Kouns explains that, like any kind of insurance, cyber policies have the potential to include exclusions, narrow definitions, and other limits. The more of these limits, the less expensive the policy. Theyre simply a way to keep costs in check.
This is common insurance stuff that has been going on for a long time, Kouns notes about the type of language that restricts coverage in various ways. Just because a potential policy has that language doesnt necessarily make it bad. Whats bad is when an organization considers itself covered by insurance for a breach without understanding the limits of the policy.
There are some policies out there that are not high quality, and then there are those that are really great options for transferring risk, Kouns says. So you just need to understand what kind of data your company has and what sort of limits it might need to limit cost.
This is where an experienced broker can help
Companies have been buying property insurance, workmans comp, and all of these other policies forever, and they have a broker or agent they buy them through. These brokers and agents are experts at picking the right policy, so use that expertise.
Youre going to need to think more seriously about retroactive dates
As organizations dive into the language of their policies, one of the essential elements to consider is the retroactive date for a policy. Increasingly sneaky attacks are being found on corporate networks, which have been there for months or even years.
Since experts have found that when a breach is discovered the hacker has usually had access to the system for more than 400 days, so negotiating early retroactive dates is critical, Linde says.
Terrorism/act of foreign enemy exclusions could sink you
In a car insurance or homeowner policy, an exclusion for acts of terror or foreign enemies may not be that big of a deal. But for cyber risk policies, these exclusions could be a real problem.
With the majority of cyber attacks originating overseas and many of those believed to be state sponsored, how these exclusions are worded are critical to the value of the coverage, Linde says. Companies need to negotiate the removal of these exclusions or carve-outs to these exclusions to ensure the coverage they purchase will indeed cover cyber attacks from outside the United States.
Youre buying more than a claims payout
Insurance carriers dont make money by paying out claims.
And if a claim comes in, its in their best interest to get it closed as cheaply as possible, says Kouns.
Which is why organizations tend to get a lot more value from cyber insurance than the potential of a paid claim. Insurance companies will have on-staff and outsourced resources such as lawyers to help fight class-action lawsuits, security people to help advise about protections before breaches and incident response after breaches, and credit monitoring services to help consumers after a breach.
As a part of your policy you get access to those capabilities to help you respond and recover, he says.
Even a minimal policy buys you a valuable partner
Often organizations will consider cyber liability policies an all-or-nothing affair. Theyll want all the exclusions lifted from a policy but balk at the resulting price and ultimately choose not to buy anything at all. But given the resources insurance companies bring to the table, there may be room in the gray area for benefit.
At the end of the day, just getting a lower amount of insurance will get you started and will get you access to all of those resources. So if you only have $1 million in coverage and your breach is $1.7 million, youre going to be on the hook for that extra money -- but guess what? Kouns says. Youre going to get the negotiated rate from these different vendors instead of getting gouged by the security people who say, Oh, youre in a bad spot? OK, thatll be $500 an hour and Ill be camped out for five months.
Who you talk to after a breach could affect your claim
Because cyber insurance is such a new field, claims against such policies tend to have a higher rate of litigation attached to them than other more established insurance products. These legal struggles really depend on how language and intent is interpreted by the courts. This means that organizations must be very careful about whom they talk to and what they say early on in the process.
What a policyholder says and to whom and how it is said may make the difference between a covered and an uncovered claim, says Linde. Policyholders should be careful in the initial stages when characterizing their claims or discussing coverage with their insurance companies, their brokers, or any outside consultants.
In particular, policyholders have to be careful about discussing coverage issues with their brokers -- especially in email or IM.
In many jurisdictions, communications with a broker are not subject to any privilege, and any unprotected communications may be discoverable if a coverage dispute ultimately arises, Linde warns.
Delaying notice is a potential claims killer
Once a breach is detected, dont wait too long to notify your insurer of the issue. How long you have will vary by policy, but some of them want to know as soon as 24 hours from public disclosure.
Generally, however, notice must be provided between 30 and 90 days after the discovery of a breach, Linde says. Failure to abide by the policies’ specific notice provisions may bar coverage in some jurisdictions, especially for claims-made policies.
Insurance companies are starting to reword policies to only cover theft
According to Linde, many policies are starting to include revised language that makes them only cover losses from theft of data. That could be dangerous for companies that suffer a data exposure from negligence such as an employee losing a laptop with sensitive data.
Since negligence still accounts for close to one-third of cyber breaches, companies need to ensure they are covered regardless of how the data ultimately ended up in the wrong hands, she says.
Contractual liability exclusions might void your policy without action
Insurance carriers often try to avoid coverage by arguing that contractual relationships with vendors, credit card companies, and banks act to void the purchased insurance in an event of a breach, Linde warns.
As companies evaluate their policies, they should keep an eye out for these kinds of exclusions. If they cant get them removed, they should at a minimum carve them back, she recommends.
Its less expensive than you think
Given the prevalence and the costs associated with data breaches, cyber liability insurance is still unbelievably low, according to Kouns.
Risk transfer is a legit option -- it works and it works really well a lot of times, and you get a lot services-wise, along with financial recovery, for the price, he says, explaining that even if it seems steep at first, there may be a way to craft policies with lower limits that make sense, depending on the organization. You can right-size your policy.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
10 Things IT Probably Doesnt Know About Cyber Insurance