In an age when technology and digital connectivity have become integral to every business, cyber security has emerged as an essential IT practice and a critical risk management element for an organisation’s continuity toolkit.
The increasing sophistication of cyber threats, coupled with regulatory changes, has made adopting and maintaining robust cyber security systems necessary. Insuring against such threats is still a relatively new concept for many businesses and as cyber security incidents grow, insurers have become more stringent in their underwriting practices. They’re scrutinising companies’ cyber security practices more closely and expecting businesses to be honest about their cyber security. Companies that fail to mitigate their cyber risks might find themselves uninsured.
In this article, I highlight the importance of rigorous cyber risk management and the potential pitfalls that could lead to denied insurance claims.
Understanding cyber security insurance
Cyber security insurance is specifically designed to protect businesses from financial losses from cyber attacks. It offers a financial safety net for organisations of all sizes, ensuring they can recover from a cyber incident’s potentially devastating economic impact.
However, it’s important to note that having cyber security insurance does not guarantee a payout in the event of an incident. Your policy may not cover certain types of cyber attacks, or you may have deviated from, or failed to meet, the security requirements stipulated in your policy. It is crucial to carefully scrutinise your policy and protect your business adequately.
Denied cyber security insurance claims
Due to the inherent risks associated with fulfilling payouts, cyber liability insurance companies increasingly embed their policies with coverage exceptions. It’s important to be wary of policies that aren’t in plain English and are full of legal jargon designed to reduce payouts and enhance the loss ratio – the ratio of premiums to payouts drives the profitability of cyber liability insurers.
Ensuring you get paid without trouble requires education, preparation and thorough documentation. By becoming aware of the potential for reduced payouts, businesses can form strategies to lessen the risk. It helps to understand the main reasons cyber insurance is denied.
Poor prevention measures
Insurance companies deny claims primarily because the policyholder fails to adhere to the insurance policy’s data protection terms. Compliance reporting is invaluable for businesses in addressing this issue, including implementing necessary compliance measures.
In the case of US company Cottage Health System and its cyber insurer, Columbia Casualty Company, Columbia Casualty successfully argued that Cottage Health had not complied with the terms of its policy, which included maintaining specific minimum risk controls. Similarly, Travelers Property Casualty Company denied a ransomware attack claim by International Control Services, arguing that the company failed to properly use multifactor authentication, a requirement for obtaining cyber insurance.
Failure to document preventive actions
It’s all well and good to have the measures in place, but it’s also critical to document them before a disaster occurs. This process can be cumbersome, but a compliance management solution can simplify it by automating the creation of compliance documents, screenshots and data. A cyber security consultant can work with businesses to make that happen.
Fault of a third party or contractor
Continuous assessments can help identify and rectify security vulnerabilities before threat actors exploit them. Sometimes the third party may not have a malicious intention. So it’s critical to have processes to protect your data such as limiting access by third parties and contractors.
Accidental errors and omissions
By generating detailed information and data reports, clients can present a clear narrative to their insurance providers. Compliance software can collect and record accurate data in advance, making it easier to provide necessary documentation in the event of a cyber security disaster.
Limited coverage duration
Cyber liability insurance plans differ and sometimes coverage doesn’t extend beyond the interruption timeframe. Organisations must be across their policy’s coverage duration as it could mean the difference between covering all their losses or just a fraction.
The role of a cyber security expert
Given the complexity of cyber security and the potential for denied insurance claims, businesses should consider engaging a cyber security expert. A professional in this field can assess your risks, help you develop a comprehensive cyber security plan, and ensure that your business complies with your insurance policy’s requirements.
This includes maintaining good cyber security hygiene, understanding insurance jargon, and ensuring adequate coverage for all potential cyber threats.
How tighter policies can affect coverage
Businesses must stay abreast of policy changes and exclusions to ensure their coverage remains valid. Some insurance companies, for instance, might exclude certain types of cyber attacks from their coverage or require businesses to implement specific cyber security measures as a condition of their policy.
Six essential steps
There are several steps businesses can take to manage their cyber risks effectively. I must stress this is not a “set and forget” activity – cyber security must keep pace with the activities of malicious cyber criminals.
Actions include:
- Conducting regular risk assessments
- Implementing a robust cyber security infrastructure
- Regularly updating and patching systems
- Training staff on cyber security best practices
- Engaging a cyber security expert to develop a comprehensive strategy.
- Regularly reviewing and updating their cyber security insurance policy
By taking these steps, businesses can protect themselves against cyber threats and ensure their insurance coverage remains valid.
Cyber security is no longer just an IT concern – it’s a critical risk management issue that can significantly impact a business’s financial stability. cyber security insurance can offer some protection against the economic fallout of a cyber incident, but companies must ensure that they understand their policy and maintain robust cyber security practices. Engaging a cyber security expert can help businesses navigate this complex landscape and develop a strategy that protects them against cyber threats and ensures their insurance coverage is valid.
Ben Jones is head of cybersecurity at Mackay Goodwin.
You are not authorised to post comments.
Comments will undergo moderation before they get published.