For those of us that our tech geeks (ok, IT Professionals), we tend to look at all of the technical things we can do to protect our organizations from the cyber criminals out there:
- We set MFA (Multi Factor Authentication)
- We turn on EDR (End Point Detection and Response)
- We enable email scrubbing
- We set up the best firewalls
- We implement cyber security education for everyone
- We do xxx, yyy and keep going!
The issue all it takes is ONE mistake and all of the hard work appears to go down the drain! So what are the key areas we should focus on to make sure that if we do have a breach we do NOT lose the claim!
- FAILURE TO MAINTAIN: Often referred to as the negligence or “failure to follow” exclusion, some carriers contain within their policy language, a specific exclusion which precludes coverage for claims arising from the insured’s failure to maintain minimum/adequate security standards. (See above!) And they have attracted as much contention as they have confusion – which is a large reason why many carriers have since removed such language (check yours!). While it may not trigger any specific concern for the average broker or buyer (appearing as a form of a warranty statement) it serves as a dangerous blanket-type exclusion. Here is a small sampling of the language used in such exclusions:
- “Failure to ensure that the computer system is reasonable protected by security practices and systems maintenance procedures that are equal or greater to those disclosed in the proposal”
- “Failure to continuously implement the procedures and risk controls identified in the insured’s application”
- PCI FINES & ASSESSMENTS: PCI related fines and assessments is another area in which cyber insurers are denying coverage with seeming regularity. While the PF Chang case may be one of the more widely publicized examples, it is far from the only dispute involving coverage for such fines. To briefly summarize the case again – following a breach which exposed customers’ credit cards, the insurer paid roughly 2 Mill in damages but denied the payment of roughly another 2 Mill in PCI assessments for policy language reasons. Insurers can restrict or limit coverage for such assessments through various policy clauses. The 2 most problematic exclusions however are i) specific exclusions for PCI or self-regulatory fines, and ii) the contractual liability exclusions (as was relied upon in the PF Chang case). Of equally important consideration is, how the payment card information is accessed. Some policies contain exclusions for viruses or self-propagating code which could also serve to preclude PCI coverage.
- CYBER EXTORTION & RANSOMWARE: Ransomware has been a hot topic following the recent chain of breaches. As demonstrated by WannaCry, extortion demands have continued to remain low despite an expected imminent increase. This is deceiving however – with most of the damages arriving in the form of lost income and asset restoration, it can be all too easy to underestimate the severity of damages that a ransomware attack can inflict.
With cyber policies often setting individual limits per insuring clause and further sub-limiting specific elements, policy limits can sometimes be difficult to navigate. For this reason, it is advised that insurance purchasers perform a careful assessment of the extortion insuring clause and review all limits, sublimits, deductibles and time deductibles for adequacy using benchmarks if available. It should also be noted that attacks such as these can also inflict considerable reputational damage and lost clients, which can be difficult to quantify and equally difficult to insure against.
- PRE-BREACH LAWSUITS: The case of Kimpton Hotels has already demonstrated that a cyber breach-related lawsuit can be brought prior to actual “data-misuse” induced damages, however the Johnson Bell case takes it one step further, becoming the first lawsuit to be filed even despite any actual breach. While the concept of preemptive regulatory inspections/investigations is fairly well understood, the concept of a lawsuit in absence of an actual breach is slightly harder to grasp. To summarize, after one of the firms’ clients discovered security holes, a class action was filed against the law firm for malpractice and negligence (among other allegations) resulting from security flaws and failure to properly secure its client’s data which “subjected the plaintiffs to an increased risk of injuries”. Among other security vulnerabilities stated, were allegations that the law firm was utilizing out-of-date software that was known to be exploitable and a VPN and email system that were vulnerable to attacks. It’s once again important to note however, that there was no actual intrusion, data exposure or data misuse – meaning effectively, no damages.
- SOCIAL ENGINEERING SCHEMES: Social engineering schemes have been steadily growing in popularity, and can be exploited a number of ways: via phished email credentials, by way of phone or letterhead, or direct altering of bank account information by cyber criminals. While policy language is still adapting to better cover computer fraud and social engineering losses, many policy forms contain a number of exit points for which carriers can attempt to deny coverage. Without summarizing the specifics of each case, here is a small sampling of some of those potential exit points that carriers have been relying on and the cases in which each was cited:
- Fraudulent transfer was ultimately caused by the over-riding of the company’s own security controls (State Bank)
- Funds were transferred voluntarily or by natural persons with authority to enter the company’s computer system (Acqua Star & Medidata)
- Fraudulent transfer request was carried out via phone as opposed to “directly from the use of a computer” (Apache Corp)
- Losses sustained were not “direct” losses of the insured but rather losses of clients’ funds. As also pointed out by Blaney’s Fidelity Blog, the policy contained an additional requirement that the fraudulent transfer be introduced via “unauthorized introduction of instructions that propagated themselves”. (Taylor & Lieberman)
The key thing is make sure that all of your policies and procedures are aligned with your Cyber Insurance policy. If you want to find out more? Join our in-person seminar on “Is your Cyber Policies aligned with your Cyber Insurance“ on June 14th, 2023 for our lunch and learn at the Firerock Grill.
Maybe it’s time to look at “Managed Services” to enhance your business needs and take care of some of basic tasks so your IT staff can focus on the core business issues!
Want to find out more? Reach out to firstname.lastname@example.org or give us a call at Fusion IT at 616-828-5360!
Thanks to https://www.gbainsurance.com/avoiding-cyber-claim-denials for information contained in the blog!