You’ve got cyber insurance in case the worst happens. But what does your policy cover and what will it not pay out for? Your worst-case scenario might be worse than you think.
What Is Cyber Liability Insurance?
Cyber liability insurance is a specific form of insurance that covers financial losses that arise from cyberincidents. Typically these are cyberattacks and data breaches. As with all insurance policies, you’ll harbor two hopes. One is you never have to use it. The second is that if you do need to make a claim the insurance company accepts your claim and pay out.
There’s a lot you can do to make your organization as safe as possible. However, there’s always a risk that a new vulnerability is discovered and exploited by threat actors before it is identified by the manufacturer and a patch issued to address that vulnerability. This is one form of zero-day vulnerability.
Another zero-day vulnerability is the short period between a new malware strain being detected, characterized, and updates created for anti-malware software. In that short interim period, the malware can spread unchecked.
Another vulnerability is your staff. They need to have regular—at a minimum, annual—cyber awareness training and data protection training. The most common cyberthreats arrive by email, and it’s your staff who receive those emails. Most data breaches occur through staff mistakes or shortcuts. And, despite the training, they may slip up.
Cybersecurity is a constant process of improvement and catch-up. You can never put a tick in the box that says “cybersecurity complete, 100% secure.” You’ll never reach the point of zero risks. And because there will never be zero risks you should strongly consider cyber liability insurance.
First-Party and Third-Party Cover
Cyber liability insurance policies vary greatly. What some providers include, others see as costed extras or leave out completely. An off-the-peg policy might not meet your needs. If your organization is sufficiently large, your IT infrastructure sufficiently complicated, or there is a strong likelihood that any financial damages or penalties could be crippling, you should negotiate a bespoke insurance policy.
Most policies provide first-party and third-party cover or, in insurance-speak, coverages. First-party coverages address direct financial expenses that your organization has to pay as a result of a data incident. You’re the first party and you’re being covered for out-of-pocket expenses you’ve suffered.
Third-party coverages apply to financial penalties your organization is compelled to pay because of claims and legal action by affected individuals. For example, the affected data subjects in a data breach may make a claim against you, either singly or as a class action. They’re the third party and you’re being covered for the costs of the damages they’ve suffered.
For example, a Finnish private psychotherapy clinic called Vastaamo was the victim of a massive data breach when its entire patient database was stolen in 2018. The database contained personally identifiable information, including transcripts of psychotherapy sessions.
Vastaamo refused to pay the blackmail ransom despite pressure from the threat actors who released 100 patients’ records a day onto the Dark Web. When that extortion method failed, in 2020 the cybercriminals approached the patients directly. They threatened to release their patient and session records unless they received a payment.
Had Vastaamo not collapsed into bankruptcy, the patients could have sued Vastaamo for failure to protect their personal data, and for failure to disclose the data breach. If Vastaamo had been covered by good cyber insurance they may have avoided bankruptcy—first-party coverage—and been able to weather the financial penalties from the data subjects’ litigations—third-party coverage. As it happened the company folded before the data subjects and data protection authority could bring cases against it.
Other Types of Cover
Comprehensive cyber liability policies provide a range of coverages, some of which may be optional. Each coverage is likely to have its own financial upper limit, which limits the degree of exposure the insurance providers face by insuring you. Some policies or coverages may require an excess. This is an amount of money that you will be expected to provide in the event of a claim and will be deducted from any insurance payout. Agreeing to an excess reduces your policy’s premium.
It’s important to ascertain whether your insurance covers the costs of engaging with expert assistance. This might be required for incident or crisis management, technical and forensic experts, negotiations with the threat actors, and communications management. Some insurers will provide these experts themselves in preference to paying for external support.
This list contains some common first-party coverages.
Covers the cost to restore data, reinstall operating systems and programs, or to replace software that has been damaged or destroyed beyond recovery. There may be a list of covered perils. If the damage is the result of something not on that list, you’re not covered, so check your policy carefully.
Loss of Income and Extra Expenses
If you are rendered unable to trade you’re suffering a loss of income. This coverage is for costs incurred in restoring your systems to operational status. Again, there will probably be a list of covered perils. Some policies even provide coverage for a loss of income you suffer because a trading partner, supplier, or other key partner such as a distributor is the victim of a cyberincident.
This is coverage for ransoms, blackmails, or similarly extorted payments made to the threat actors. The most common example is ransomware, but it might also be to prevent sensitive documents from being leaked online or to prevent a hacker from introducing a virus, or stop conducting Distributed Denial of Service attacks.
Robust policies will cover payments made as a result of any type of extortion as long as the insurer’s consent is obtained, and the best policies also provide a negotiator or coverage for the costs of hiring one.
Most modern data protection legislation such as the General Data Protection Regulation and the Californian Consumer Protection Act require an organization to contact and inform affected data subjects of a data breach.
If the compromised data is likely to lead to financial damages to the data subjects you may be expected to provide credit monitoring. If your breach is sufficiently severe—because of a very high number of affected data subjects or if the breached data includes special category data such as medical information—you might need to dedicate staff to answering queries from the public, or outsourcing this function. Check whether your policy provides coverage of this type.
Most cyber policies afford some coverage for crisis management expenses. Depending on your policy, the coverage might provide expert assistance to help deal with the incident, the recovery, damage limitation, and PR and business communications. Check whether your policy provides access to:
- Technical and forensic experts.
- Call Centre and Notification Staff.
- Credit and identity theft monitoring services.
- PR Firms.
- Legal counsel.
Network Security and Privacy Liability
If the cyberincident was made possible because of negligent acts, mistakes, failures, or omissions regarding your cybersecurity or breach notification, you may face legal claims from the affected data subjects. This coverage insures against those claims.
Electronic Media Liability
This is usually included in cyber liability insurance although it doesn’t directly address matters arising from a cyberincident. It provides coverage for lawsuits brought against your organization for acts of libel, slander, and defamation because of something published on a website, blog, or social media. Some insurers call this errors and omissions coverage.
If the supervisory or governing body for your data protection legislation levies fines or other penalties against your organization either for the breach or for your handling of the breach, this coverage will cover you for those losses. It should also pay for legal representation if required.
What isn’t Covered
Like all insurance contracts, cyber liability policies exclude certain types of claims. Here are some typical exclusions:
- Anything before the commencement of the policy.
- Physical personal harm or bodily injury.
- Property damage.
- Self-Sabotage: Intentional dishonest acts committed by a member of your organization.
- Acts of war and terrorism.
- Contractual liability.
- Utility failure.
- Improving Your IT. Your cyber insurance will get you back to where you were, not to where you needed to be to prevent the incident. It won’t aim to leave you in an improved condition. This is called betterment by insurers.
Acts of War and Terrorism
This is a biggie. If the cyberattack or cyberincident you’ve suffered is considered to have been an act of cyberwarfare or cyberterrorism, your insurance company will not payout. The standard exclusion in all business insurance about acts of war and terrorism will come into effect.
State-sponsored hacking groups known as Advanced Persistent Threats (APTs) regularly conduct campaigns that spill over and and create collateral damage in the business world at large.
The NotPetya ransomware attacks of 2017 were targeted at users of a particular type of business accounting package that was heavily used in the Ukraine. NotPetya soon spread to attack organizations around the globe. The attack has been attributed to the Russian military by Australia, New Zealand, Canada, Japan, the United States, Denmark, and the United Kingdom. That attribution has had a tremendous impact on a great many businesses.
Food and beverage giant Mondelēz was hit by NotPetya and suffered losses of over US$100 million. Their insurer, Zurich Insurance Group, claims that because the Russian military was behind the malware the cyberattack was an act of cyberwarfare. Zurich says that releases it of any liability. Not surprisingly, Mondelēz International is suing Zurich Insurance Group for US$100 million
The war and terrorism clauses are variously worded from policy to policy but can be paraphrased as “…excludes damage caused by a hostile or warlike action in times of peace or war by any government or sovereign power’s military, naval or air force, or agent or authority thereof.” So it doesn’t actually require a state or act of war for the exclusion to apply. A hostile action by a foreign power or government in peacetime can trigger the exclusion clause.
It’ll be interesting to see what the outcome of Mondelēz International v. Zurich Insurance Group is. With the ever-increasing number of APT activities, while it is unlikely the average business organization will be a direct target, the likelihood of getting caught in the cross-fire increases accordingly.
If you do get hit and the attribution points to an APT, it may not matter what coverage you do or don’t have in your policy—-your policy might well be void.