Cyber Security Coverage Gaps

My last post pointed out the need to carefully review a potential insured’s exposures to data breaches and then make sure that the policy chosen adequately covers those exposures.  The latter task is made more difficult by the lack of standardized cyber liability policies.  Each company has their own form for such policies and as the agent in the P.F. Chang case discussed in my last post found out, the wording of an exclusion clause can be critical.

Carefully reviewing the language of every company’s cyber insurance policies can be very time-consuming and sleep inducing.  Fortunately, someone has already done this.  Betterley Risk Consultants has recently published a reportthat explores in detail the  coverages available for 10 different types of exposures associated with data breaches.  Who provides coverage for regulatory and statutory claims, remediation costs, security assessment requirements, theft, third party liability, terrorism, and even bodily injury and property damage, along with other types of exposures, is discussed.  The executive summary for the report is available online.  If you are interested in getting detailed information about coverages, that can be obtained for a reasonable price from the International Risk Management Institute’s website.

One important trap for the unwary that was not discussed in my last post, but should be mentioned, is the exclusion found in many policies for the failure to maintain security standards.  As the Betterley report points out, this exclusion is very harsh on an insured who may be doing their best to meet the standards established when the policy was written, but for whatever reason are unable to do so.  Such a failure, event though having met the standards would not have prevented the data breach in question, can result in the denial of any coverage.  Policies with this exclusion should be avoided, if possible.

Another coverage trap for the unwary involves what has come to be known as “whaling”, or social engineering (the Betterley Report prefers to call this type of illegal activity deceptive funds transfer, which is not as colorful but more descriptive of what happens).  It involves the use of e-mails that appear to be from officers or employees of a company, but are really from hackers.  The hackers use the names and e-mail addresses of these officers or employees to request the transfer of funds by the company to an account set up by the hackers.  Millions of dollars have been lost by companies who have been the subject of these attacks.  Many of those companies have discovered to their dismay that they have no insurance coverage for such fraudulently induced transfers because the standard theft coverage in their insurance policies does not cover funds that are voluntarily transferred by the company, as opposed to being taken from the company by third parties.

In keeping with my theme of cyber liability being a two-edged sword for insurance agencies and agents, they and other small businesses should not assume that “whaling” only occurs at big companies and for large amounts of money.  As noted by Steve Anderson in post he did on this subject, “whaling” has happened to insurance agencies for relatively small amounts of money.  Mr. Anderson’s post also has some advice on what agencies can do to protect themselves from this type of attack.